Bitdefender researchers recently analyzed 25 apps that made it into Google Play, at least for a time, packing aggressive adware SDKs that bombarded users with ads and avoided removal by hiding their presence. Cumulatively, the apps were apparently downloaded almost 700,000 times by Google Play users.
While Google has gone to great lengths to ban malicious or potentially unwanted applications from the official Android app store, malware developers are nothing if not imaginative when coming up with new ideas to dodge Google Play Protect.
Some of the key techniques found for dodging security vetting revolve around using open source utility libraries (used by Evernote, Twitter, Dropbox, etc.) to run jobs in the background, using different developer names to submit identical code, and even hiding code that is triggered remotely by command & control servers.
Key techniques found for dodging security vetting:
- Main logic is encrypted and loaded dynamically
- Check that system time is at least 18 hours after a specific time using a hardcoded numerical value for the time (not a time object), then it starts hiding its presence
- Use an open source utility library (used by Evernote, Twitter, Dropbox, etc.) to run jobs in the background
- Longer display time between ads (up to 350 minutes)
- Adware SDK, written in Kotlin, with debug symbols present and lack of obfuscation, possibly mimicking clean SDKs
- Use different developers to submit identical code base
- Hiding code that is triggered remotely by server config or command, no more used timers
- Uploading an initially clean application and then adding a malicious update
For a more detailed technical analysis, please check out the technical paper below: