Google Play Store warning as dangerous apps target users
Google is narrowing the gap between Android and iPhone, with changes to Play Store and Play Protect, and with Android 15 delivering the safest, most secure version of Android there has ever been. But it’s not yet enough, as a stark new report from Zimperium shows in frightening detail. The report will be published on Tuesday, but its findings are here first. You should not update your apps until you have read this.
The team has found “172 targeted applications,” which include “banks, social networks and cryptocurrency wallets,” amongst them some of the most popular apps in the Android ecosystem. The apps were targeted with malware that can present overlay login screens to steal credentials, intercept SMS messages to steal 2FA codes, and deploy a new method to capture and then remotely use phone PIN lock codes.
The malware installs with a fake Google Play Store update screen; when a user clicks “Update” or “Continue” the malware then secures access to Accessibility Services and exploits those to overlay apps and even the lock screen, stealing passwords and codes.
Zimperium’s Nico Chiaraviglio told me that “Android 15’s focus on security will likely reduce risks,” but that “its open architecture will continue presenting more attack vectors than iOS’s controlled ecosystem.” It’s hard to argue.
The best attacks are well timed. And this latest “complex phishing campaign” was exactly that. “Millions of job seekers are unknowingly walking into a digital trap,” Zimperium warns, “falling victim to a new wave of cyber scams that exploit their trust and vulnerability… There has been a plethora of layoffs across every industry and with the holidays around the corner, job seekers are undoubtedly stressing when it comes to job applications and these scams couldn’t come at a worse time.”
Dangerous HR phishing attacks
The best attacks also fake trusted brands to lure users into clicking, downloading and installing what they shouldn’t. And again this campaign hit the mark. Not only did it have backend code to fake logins for dozens of financial apps, it “also masqueraded as Chrome and TikTok apps, demonstrating its wide-ranging targeting.” You can see typical faked Play Store screens below—if you see these, do not tap ‘continue’.
The attack starts with an email—a job offer for example, which tricks a victim into installing a relevant app to complete the application process. That app is a dropper which then downloads a malware-laced app that will then infect the device. With the malware installed, it will attack unrelated, target apps on the device to harvest the user credentials and 2FA codes needed to access financial accounts.
This is the same Antidot threat disclosed by Cyble in May—a trojan “masquerading as a Google Play update app.” Those attacks mocked up popular banking app login screens, overlays that tricked users into entering credentials. The malware also intercepted SMS messages, stealing 2FA codes. The playbook has not changed.
Fake Play Store update and permission screens
Copycat apps and updates have plagued Android this year, prompting Google to enhance its Play Protect service to force enable developers to restrict app updates to Play Store and even to stop apps working that originated elsewhere. Next year, the Play Integrity API can also restrict apps to newer phones with updated firmware. None of that prevents users clicking on dangerous links though, which is why Google, Samsung and others are clamping down on sideloading.
Zimperium has dubbed this latest attack AppLite, and says “the attackers behind this phishing campaign exhibit a high degree of adaptability, utilizing multiple strategies to target victims.” Don’t just be on the lookout for job offers. The lures can be anything, and the team also discovered educational phishing attacks.
Phishing site targeting students
The use of overlays is increasingly common, and can be used across multiple apps to capture credentials that can be exfiltrated and used immediately. “Once the user launches a targeted application, the malware fetches a malicious HTML payload from the command and control server and superimposes it onto the legitimate application’s user interface, effectively creating a deceptive overlay.”
As we often see, the malware relies on Accessibility Permissions to take control of a device—as a reminders, you should never enabled these unless absolutely necessary. An update button for an installed, well-known app with a Google Play Store logo would entice a user into granting the Accessibility Permissions that enable the malware to collect the data required for banking account hijacks.
List of target apps
In addition to creating overlays and stealing texts, the malware can make and block phone calls, take photos and screenshots and send those to its handlers.
Zimperium has consistently warned Android users as the risks in sideloading apps onto their devices, the reason Androids are much more open to attack that iPhones. This latest report comes as Pixel users continue to switch to Android 15 and Galaxy users get their first taste of One UI 7’s beta.
The latest version of the OS introduces various measures to combat malware, including live threat detection, which monitors apps on devices and can respond to suspicious patterns of behaviour in real-time. Samsung has gone further than Google with its own Android 15 deployment, expanding its default Maximum Restrictions to make it even more difficult for users to click the wrong link or install the wrong app.
Take this warning seriously and do not update any apps from outside Play Store; here’s a recap on the other golden rules to staying safe on Android.
- Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load; also ensure Google Play Protect is enabled on your device.
- Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
- Do not install apps that link to established apps like Chrome unless you know for a fact they’re legitimate—check reviews and online write-ups.