The number-one rule of safely downloading apps is to use the official app marketplace, whether it is the App Store or Google Play, or a vendor’s store.
That’s why the news from Bitdefender researchers is so alarming. They discovered sophisticated CAPTCHA-bypassing Android malware in Google Play apps. The piece of malware itself was discovered in 2014, but it was distributed through those third-party sites. According to a release, this is the malware’s first occurrence in the official Google Play store, as it appears that the malware developers discovered new ways of packing it into seemingly legitimate apps that can bypass Google’s vetting system.
The malware takes advantage of the authentication system. As Tech City News explained:
The malware works by kicking into action after a user downloads a seemingly benign gaming app. Once installed with the app, the malware pulls up a premium SMS subscription service website that contains a CAPTCHA. At this point, the malware extracts the CAPTCHA image and sends it over to Antigate, a company that promises real-time translation and verification of CAPTCHA images.
Once the information is verified, the malware sets up a subscription for the service. While the cost isn’t much per month, it is there without the user’s knowledge, and is making a bundle for the thieves. (It’s important to note that the app does request permission first, but let’s be honest – how many people bother to read the permissions?)
More importantly, the fact that the malware has made it into Google Play now raises questions about the marketplace’s security.
Android isn’t the only OS with malware problems that involve the app marketplace. More than 200,000 iPhone accounts were compromised via malware. According to Top Tech News:
It’s called KeyRaider and it appears to be the largest known malware-related Apple account theft in iOS history. Criminals aimed to use the information to download applications from the official App Store and make in-app purchases without actually paying.
True, this malware specifically targets jailbroken iPhones, but it also shows that iOS users need to be aware of potential malware problems.
Alin Barbatei, Bitdefender researcher, said the following in a release, and although Barbatei is specifically talking about the Android problem, I think the statement speaks to overall concerns:
A mobile security solution needs to be installed on the device to identify malicious applications – regardless from where they have been downloaded – and block threats from causing irreparable financial harm or personal data loss.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba