Half a million Android users tricked into downloading malware from Google Play

By: Zack Whittaker

More than half a million users have installed Android malware posing as driving games — from Google’s own app store.

Lukas Stefanko, a security researcher at ESET, tweeted details of 13 gaming apps — made by the same developer — which were at the time of his tweet downloadable from Google Play. Two of the apps were trending on the store, he said, giving the apps greater visibility.

Combined, the apps surpassed 580,000 installs before Google pulled the plug.

Anyone downloading the apps were expecting a truck or car driving game. Instead, they got what appeared to be a buggy app that crashed every time it opened.

In reality, the app was downloading a payload from another domain — registered to an app developer in Istanbul — and installed malware behind the scenes, deleting the app’s icon in the process. It’s not clear exactly what the malicious apps do; none of the malware scanners seemed to agree on what the malware does, based on an uploaded sample to VirusTotal. What is clear is that the malware has persistence — launching every time the Android phone or tablet is started up, and has “full access” to its network traffic, which the malware author can use to steal secrets.

We reached out to the Istanbul-based domain owner, Mert Ozek, but he did not respond to our email. (If that changes, we’ll update).