by Al Sacco

Android Malware Infiltrates Google Play Store, Infects 100K Devices

Jul 12, 20122 mins

Malicious Super Mario Bros. and Grand Theft Auto games slipped by Google's "Bouncer" Play Store malware detector and infected as many as 100,000 users before being identified by a security researcher and yanked by Google.

Though most mobile security researchers, and even Google itself, readily acknowledge the looming Android security threat, conventional wisdom suggests that if you simply avoid third-party app stores, stick to Google’s Play Store, and check all app permissions before installing new software, you really have nothing to worry about.


But as Android malware gets more sophisticated, and the potential reward for malware creators grows along with Android market share—which is now almost 60 percent of the entire global mobile market, according to IDC—this wisdom is, well, just not very wise.

Case in point: A new Android Trojan made it past Google’s “Bouncer” malware detector in the Play Store and infected as many as 100,000 Play customers over a period of weeks before being identified by Symantec, which then alerted Google so it could pull the malicious software. The Trojan was distributed by rogue versions of Super Mario Bros. and Grand Theft Auto games. And it reportedly sent expensive SMS messages without users’ permission before removing the harmful components to avoid detection. (The malware did not, however, affect everyone who downloaded it; instead it apparently targeted users in Eastern Europe.)

The incident is noteworthy not only because it proved that it’s not particularly hard to sneak malware by Google’s Bouncer—as previously demonstrated here—but it also represents the largest number of users infected via Google-Play-distributed apps that I can remember. The fact that the malicious software remained live in Google Play for so long is also “interesting.” And the malware was fairly sophisticated; it actually downloaded the malicious code after installation on victims’ devices using a “remote payload” process that allowed the software to be installed in stages to circumvent the Bouncer safeguards, as described by Symantec here.

The malware creator chose two very popular game titles in order to infect as many users as possible. And the ruse clearly worked. However, the developer listed on Google Play along with the games probably should have raised a red flag for users, since the name is not familiar and both Super Mario Bros. and GTA are created by big name developers—in fact, Nintendo doesn’t create Android games, and the official GTA Android game in Google Play is created by the official developer, Rockstar Games.

That said, the Android security landscape is feeling more and more like the mobile market’s Wild West.


via Symantec