Anti-Malware Research Whitepapers

Dozens of Apps Still Dodging Google’s Vetting System

Dozens of Apps Still Dodging Google’s Vetting System

Bitdefender researchers recently analyzed 25 apps that made it into Google Play, at least for a time, packing aggressive adware SDKs that bombarded users with ads and avoided removal by hiding their presence. Cumulatively, the apps were apparently downloaded almost 700,000 times by Google Play users.

While Google has gone to great lengths to ban malicious or potentially unwanted applications from the official Android app store, malware developers are nothing if not imaginative when coming up with new ideas to dodge Google Play Protect.

Some of the key techniques found for dodging security vetting revolve around using open source utility libraries (used by Evernote, Twitter, Dropbox, etc.) to run jobs in the background, using different developer names to submit identical code, and even hiding code that is triggered remotely by command & control servers.

Key techniques found for dodging security vetting:
  • Main logic is encrypted and loaded dynamically
  • Check that system time is at least 18 hours after a specific time using a hardcoded numerical value for the time (not a time object), then it starts hiding its presence
  • Use an open source utility library (used by Evernote, Twitter, Dropbox, etc.) to run jobs in the background
  • Longer display time between ads (up to 350 minutes)
  • Adware SDK, written in Kotlin, with debug symbols present and lack of obfuscation, possibly mimicking clean SDKs
  • Use different developers to submit identical code base
  • Hiding code that is triggered remotely by server config or command, no more used timers
  • Uploading an initially clean application and then adding a malicious update

For a more detailed technical analysis, please check out the technical paper below:

Dozens of Apps Still Dodging Google’s Vetting System

About the author

Avatar

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

About the author

Ioan-Septimiu Dinulica

Ioan-Septimiu Dinulica

Ioan Septimiu Dinulica is a Junior Security Researcher and a Master's in Software Engineering student at Politehnica University of Timișoara. His main interests represent Android malware research and cloud computing. In his spare time he enjoys travelling, playing tennis and reading.

About the author

Razvan Gabriel Gosa

Razvan Gabriel Gosa

Razvan Gosa is a Junior Security Researcher currently studying at the Politehnica University Timisoara. After joining Bitdefender as an intern and having the chance to try out various technologies, including machine learning, he’s now a full-time member of the Bitdefender team. Currently part of the Android team, his main focus is malware threat research. When he’s not at work, he’s either at home gaming or hiking with friends.

About the author

Avatar

Vlad Constantin Ilie

About the author

Avatar

Alin Mihai Barbatei