News - Malware & Hoax - TG Soft Cyber Security Specialist

13/01/2014
18:49

How safe is really Google Play Store?

The CRAM (Anti-Malware Research Center of TG Soft) team has carried out a little study on the Android apps distribution platform by Google, discovering 9 malicious apps out of a total of 500.

The CRAM (Anti-Malware Research Center of TG Soft) team has carried out a little study on the Android apps distribution platform by Google.

In order to perform a real-world protection test, we decided to connect on Google Play Store and download some of the most popular apps of the market. We have downloaded a total of 500 apps, of which 9 were found to be malicious. According to these number, then, 1.8% of the apps on Google Play are actually malicious.
Of course, this study should definitely not be considered complete. Indeed, the dataset studied is rather too small to asses the overall safety of Google Play Store. However, it can give a rough idea.

Icon	App	Downloads	Malware
	Talking Tom & Ben News Free com.outfit7.talkingnewsfree	10.000.000-50.000.000	Adware.Youmi
	Tom ama Angela com.outfit7.tomlovesangelafree	10.000.000-50.000.000	Adware.Youmi
	FIFA 2014 - The Soccer Game com.tam.soccer.free.game	500.000-1.000.000	Adware.Airpush
	File Manager Pro org.tellmej.filemanager	100.000-500.000	Adware.Airpush
	Sketch Pad dex.dex.dex5	50.000-100.000	Adware.Plankton
	Naked Scanner Magic com.naked.scanner.magic.fun.app	10.000-50.000	Adware.Airpush
	Real Basketball com.bktballelite.com	10.000-50.000	Trojan.FakeMarket
	Cricket 2014 com.tam.cricket.free.game	1.000-5.000	Adware.Airpush
	Mp3 Cutter - Ringtone Maker com.best.ringtone.maker.music.cutter	1.000-5.000	Adware.Airpush

In particular, 8 of the malware discovered are Adware which just display annoying, often misleading advertisements and are detected by most of the commercial Android Anti-Virus solution. However, one of them (i.e. "Real Basketball") is a zero-day, or next-generation malware that is not yet detected by any of the commercial Anti-Virus solutions. This is a Trojan which pretends to be nothing less than Google Play itself (which is quite funny since it is distributed on the real Google Play Store)!

Browsing the Google Play Store, the Trojanized app pretends to be a basketball videogame.

However, when you download it, the Trojan will be installed as: "Google Play".

If we launch it, the malware will open the Google Play Store page of Facebook. However, in background, it will start to connect to several web pages at the unbeknownst of the user. Some of these websites are:

redirects.ero-advertising.com
banners.ero-advertising.com
adspaces.ero-advertising.com
www.fethullahhocam.com/advertising.php
www.mobilefilmizle.com/ipzaman.php

In particular, the URLs of the ero-advertising.com website are of the form: http://redirects.ero-advertising.com/speedclicks/in.php?pid=[...]&siteid=[...]&spaceid=[...]&mdoc=[...]
Where pid, siteid and spaceid are differents IDs while mdocwill contain the actual URL that will be opened, such as:

www.xnxxvideosesso.com
www.youpornitaliano.tv
www.maxsesso.com

It is very likely the Trojan uses this technique to earn money through the imitation of user's "clicks" on various ads. This cyber attack is known as: click fraud.

All the apps have been all reported to Google. Hopefully, Google will proceed to remove these malware from the market soon.

-------------------------
Paolo Rovelli
Mobile Developer & Malware Analyst
CRAM (Anti-Malware Research Center) by TG Soft S.a.s.

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

This website uses cookies
We use cookies to customize language, content and provide technical functionality. They are NOT used for profiling or reselling to third parties. There are pages where "Google reCaptcha" will be present, even in this case, our purpose is only to be able to ascertain the presence of human interaction and not automatic Bots.

Necessary 5

The necessary cookies help make the website usable by enabling basic functions such as page navigation. The website cannot function properly without these cookies.

ASP.NET_SessionId [x2]
Preserve the user's status on the different pages of the site.

Expiration: Session

Type: HTTP

cookie_accettati [x1]
Stores the user's cookie consent status for the current domain

Expiration: 1 year/s

Type: HTTP

lang [x1]
Stores the selected language

Expiration: 1 year/s

Type: HTTP

ASPSESSIONIDxxxx
Technical cookie for the management of interactions with the user

Expiration: Session

Type: HTTP

Necessary (for use and access to specific areas) 2

Cookie necessary to make certain specific contents usable such as: access to protected areas of the site, sending requests or subscribing to newsletters. The specific features of these sections will not be usable without this cookie.

_GRECAPTCHA [x1]
Necessary to verify human interaction.
Used to send quotes, access restricted areas and all those points where security is a fundamental component.

Expiration: 6 month/s

Type: HTTP

cookie_google [x1]
Flag for acceptance of Google reCAPTCHA cookies

Expiration: 6 month/s

Type: HTTP

Accept the reCAPTCHA Terms of Service:
By accessing or using the reCAPTCHA APIs, you agree to the Google APIs Terms of Use, Goodle Terms of Use, and to the Additional Terms below. Please read and understand all applicable terms and police before accessing the APIs.

reCAPTCHA Terms of Service:
You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and application data and the results of integrity checks, and sending that data to Google for analysis. Pursuant to Section 3(d) of the Google APIs Terms of Service, you agree that if you use the APIs that it is your responsibility to provide any necessary notices or consents for the collection and sharing of this data with Google.

Data collected by reCAPTCHA:
The reCAPTCHA algorithm will check for the presence of a Google cookie (usually _ga)
If not present, a specific reCAPTCHA cookie will be added to the browser of the user and will be captured - pixel by pixel - a complete snapshot image of the user's browser window at that time.
Some of the browser and user information currently collected includes:
All cookies placed by Google in the last 6 months
How many mouse clicks did you make on that screen (or touch if on a touch device)
The CSS information for that page
The exact date
The language in which the browser is set
Any plug-in installed in the browser
All Javascript objects

How safe is really Google Play Store?

Vir.IT eXplorer PRO is certified by the biggest international organisation: