Malicious app developer remains on Google Play
Google is still unable to catch malicious apps from being listed in the app store, but it seems that some develop it has been cited, doesn’t even get kicked off the platform. Security software company Malwarebytes reported Tuesday that four apps listed by developer Mobile apps Group contain a well-known malware used to steal users’ information. At the time of reporting, all four apps are still listed on the Google Play Store.
Even worse, Malwarebytes wrote that the developer in question has been found to distribute malware in their apps before, but they can still list their apps in Google’s main app store.
The apps are listed by the company Mobile apps Group, whose listing on the Play Store includes the tagline “Using the smart app, you guarantee a strong and reliable Bluetooth pairing with any device.” The apps include:
- Bluetooth Auto Connect
- Driver: Bluetooth Wi-Fi, USB
- Bluetooth app transmitter
- Mobile transfer: smart switch
Nathan Collier, a malware intelligence analyst for Malwarebytes, wrote that when users first install Bluetooth Auto Connect, there is a delay of several days before it starts opening phishing websites in Chrome. These websites run in the background even if a device is locked and open automatically when users unlock their phones. These phishing sites allegedly include porn sites that lead to phishing sites or other sites that spam users with messages that they have been hacked and need to perform an update.
The Mobile Apps Group has been cited twice in the past for listing malware-infected apps, according to Collier. Other cybersecurity researchers have the blog about an earlier version of Bluetooth Auto Connect. Two days after that blog and subsequent takedown, the developers released a 3.0 version on Google Play, meaning the malicious developers didn’t even get a trial period. The developers released the current 5.7 version of the app in December last year, meaning the malware has potentially lasted for almost a year.
Google did not immediately respond to Gizmodo’s request for comment. Google has one stated policy against any app that contains malware of any kind, and the system claims it warns users if it detects a malware policy violation.
Collier wrote that the first log entry from malware called Android/Trojan.HiddenAds.TBGTHB is recorded a few hours after he installs the app, although the time before it installs varies between different apps.
There have been many other high-profile malicious app scandals on Google Play, including one Muslim prayer app which was to retrieve the users’ phone numbers. Last year, Google launched nine other apps from the store after researchers found they were using malware to steal users’ Facebook logins.
Delaying malware infiltration is a common way bad actors get around app store filters, Collier wrote. It’s still unclear why Google failed to detect these apps, but another recent report from the cybersecurity company Bitdefender noted there were 35 other malicious apps listed on the Play Store that have amassed over 2 million downloads in total. That August report noted that once these apps are installed, they rename and change the app icon to confuse users and avoid detection. A smooth one earlier report from July by Dr. Web noted that a few dozen other malware-infected apps were modifications of known malware.
Google Play Protect is the company’s built-in malware defense program, and according to its own site, it scans over 100 billion apps on Google Play every day. But researchers have previously noted that it so routinely fails to catch malware, ranked last among other security apps in 2021 tests by IT security researchers at AV Test.