Google revealed that its enhanced security features and app review process helped it block 1.43 million bad apps from publishing to the Play Store in 2022.
Additionally, the company says it has banned 173,000 bad accounts and fended off more than $2 billion in fraudulent and abusive transactions via developer facing features such as Voided Purchases API, Obfuscated Account ID, and Play Integrity API.
The addition of identity verification methods such as phone numbers and email addresses to join Google Play contributed to a reduction in accounts used to publish apps that went against its policies, Google said.
The search giant further said it “prevented around 500K submitted apps from accessing unnecessarily sensitive permissions over the past 3 years.”
Instead, Google blocked 1.2 million apps that violate policy unpublished and banned 190,000 bad accounts in 2021.
The development comes weeks after Google enacted a new data wipe policy that requires app developers to offer “easy to find options” to users from both within apps and outside of them.
Despite these efforts by Google, cybercriminals continue to look for ways to circumvent app storefront security protections and publish malicious apps and adware.
For example, the McAfee Mobile Research Team found 38 games impersonating Minecraft and having been installed by no less than 35 million users worldwide, primarily located in the US, Canada, South Korea and Brazil.
This gaming app, while offering the promised functionality, was found to incorporate HiddenAds malware to load ads silently in the background to generate illegal revenue for its operators.
Some of the most downloaded apps are as follows –
- Block Box Master Diamond (com.good.robo.game.builder.craft.block)
- Craft Sword Mini Fun (com.craft.world.fairy.fun.everyday.block)
- Block Box Skyland Sword (com.skyland.pet.realm.block.rain.craft)
- Crazy Sword Monster Craft (com.skyland.fun.block.game.monster.craft)
- Block Pro Forrest Diamond (com.monster.craft.block.fun.robo.fairy)
“One of the most accessible content for young people using mobile devices is games,” McAfee said. “Malder creators also know this and try to hide their harmful features in games.”
Complicating matters is the surge in Android banking malware that threat actors can weaponize to gain access to victims’ devices and retrieve personal information.
Another emerging trend is the use of binding services to trojanize legitimate apps and hide bogus APK payloads. This technique has been adopted by bad actors to distribute an Android botnet dubbed DAAM, Cyble said.
The malware, once installed, establishes a connection with a remote server to perform various malicious actions, including acting as ransomware by encrypting files stored on the device using passwords retrieved from the server.
DAAM also abuses Android accessibility services to monitor user activity, thereby enabling it to log keystrokes, record VoIP calls from instant messaging applications, collect browser history, call logs, photos, screenshots, and SMS messages, execute arbitrary code, and open phishing URLs.
“Malder creators often leverage genuine applications to distribute malicious code to avert suspicion,” said the cybersecurity firm said in an analysis published last month.
The findings also follow an advisor from CloudSEK, who found that several popular Android apps such as Canva, LinkedIn, Strava, Telegram, and WhatsApp do not invalidate or revalidate session cookies after app data is transferred from one device to another.
While this attack scenario requires that the adversary have physical access to the target’s phone, it does allow account takeover and gain unauthorized access to confidential data.
To mitigate these threats, it is recommended to enable two-factor authentication (2FA) to add an extra layer of account protection, check app permissions, secure the device with a password, and avoid leaving it unattended in public places.