FOCUS MODE
EXTRACT IOC
Threat Research

Hundreds of Malicious Google Play-Hosted Apps Bypassed Android 13 Security With Ease

BitDefender
Hundreds of Malicious Google Play-Hosted Apps Bypassed Android 13 Security With Ease
Bitdefender has uncovered a widespread ad fraud scheme utilizing over 331 malicious apps on the Google Play Store, which have amassed more than 60 million downloads. These apps display unwanted ads and attempt to extract user credentials and credit card information through phishing tactics. The campaign shows how criminals actively exploit vulnerabilities in app distribution platforms, emphasizing the need for enhanced mobile security measures. Affected: Google Play Store, Android devices

Keypoints :

  • More than 331 malicious apps involved in an ad fraud campaign.
  • Apps have collectively garnered over 60 million downloads.
  • Attackers have developed methods to hide app icons and evade detection.
  • Apps display intrusive ads above other applications without necessary permissions.
  • Phishing attempts target user credentials and credit card data.
  • The campaign has both persistent and dynamic manipulative behaviors.
  • New tactics bypass recent Android security measures, indicating evolution of attacks.

MITRE Techniques :

  • Tactic: Initial Access; Technique: App Store Submission (T1403) – Criminals submit malicious apps to the Google Play Store.
  • Tactic: Impact; Technique: Ad Fraud (T1470) – Apps display ads without user consent and misleadingly direct users to phishing sites.
  • Tactic: Persistence; Technique: Compromise System Firmware (T1210) – Apps use persistence methods such as creating foreground services to avoid being removed.
  • Tactic: Execution; Technique: Command-Line Interface (T1059) – Malicious code is executed without user interaction.
  • Tactic: Exfiltration; Technique: Exfiltration Over C2 Channel (T1041) – Exfiltrated user data via dedicated command and control domains using various encryption methods.

Indicator of Compromise :

  • [URL] http://malicious[. ]com/path
  • [Domain] malicious[. ]com
  • [Package Name] com.example.maliciousapp1
  • [Package Name] com.example.maliciousapp2
  • [IP Address] 192.168.1.1

Full Story: https://www.bitdefender.com/en-us/blog/labs/malicious-google-play-apps-bypassed-android-security

Tags: TOOL, SPAM, PHISHING, ANDROID, MOBILE, EXPLOIT, INITIAL ACCESS, IMPACT