sb-nz logo
Story image

Malware found prowling within every app of alternative Android store

27 Jul 2017

​ESET researchers have discovered an alternative Android app store was spreading malware within every single offered Android app.

When users browsed CepKutusu.com, a Turkish alternative Android app store, and went on to download an app, the ‘Download now’ button in actual fact led to banking malware instead.

A few weeks after ESET brought the infection to the store operator’s attention, the store ceased the malicious activity.

Malware researcher at ESET, Lukáš Štefanko says this is the first time he has ever seen an entire Android market infected like that.

Within the Windows ecosystem and in browsers, this technique is known to have been used for some time but in the Android ecosystem, it’s really a new attack vector,” says Štefanko.

“As for the impact, what we saw in this particular case was most probably a test. The crooks misused their control of the app store in the simplest manner. Replacing the links to all apps with a link to a single malicious app requires virtually no effort – but it also gives the store’s customers a fair chance to detect the scam.”

The malicious app distributed by the store at the time was remotely controlled banking malware capable of intercepting and sending SEMS, displaying fake activity, in addition to downloading and installing other apps.

However, when installed the malware didn’t mimic the app the user intended to install, but instead imitates Flash Player.

While an app store serving its customers with malware on a mass scale is a huge threat, however, serving Flash Player instead of whatever customers wanted is a thinly veiled disguise that no doubt resulted in the only few hundred infections.

Štefanko says this only strengthens his case that it was just a test from the cybercriminals, and he has no dounbt the attacks will get worse.

“I can imagine a scenario in which the crooks who control the store’s back end append a malicious functionality to each of the apps in the store, Štefanko  says.

“Serving those interested in a particular game with a trojanised version of that game... That would remove the biggest red flag and the number of victims might rise significantly.”

Štefanko puts down attribution of the attack to three possible scenarios – a legitimate app store turned malicious by an employee with bad intentions, a legitimate app store becoming a victim of a remote attacker, or an app store built with the intention to spread malware.

“As for scenarios one and two, I would think that such an attack would not go unnoticed by a legitimate store. User complaints, suspicious server logs and changes in code should be sufficient indicators for its operators…. The more that the malware was being distributed via the store for weeks,” says Štefanko .

“Also of interest in this regard is that we contacted the store operators with our findings but have not received any reaction.”

Story image
Kaspersky finds red tape biggest barrier against cybersecurity initiatives
The most common obstacles that inhibit or delay the implementation of industrial cybersecurity projects include the inability to stop production (34%), and bureaucratic steps, such as a lengthy approval process (31%) and having too many decision-makers (23%). More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
IT leaders fear increase risk of cyber attacks while working from home
More than 80% of IT leaders believe their company is at a greater risk of cyber attacks when their staff are working from home, according to new research. More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More
Story image
Thales: A/NZ cybersecurity approach more talk than action
“While some organisations are talking a good story … predicted spending shows that most have the wrong focus.”More
Story image
The importance of selecting a secure SD-WAN solution
It’s essential to adopt a secure SD-WAN solution to avoid the risks that an unsecured SD-WAN solution can introduce, writes Wavelink managing director Ilan Rubin.More