Google is cleaning up Android. The longtime app free-for-all is coming to an end, with a Play Store cull and tightening of restrictions around sideloading now hitting users, and Play Protect soon to be enhanced with Android 15’s live threat detection. All this is intended to close the gap to iOS and the locked down iPhone ecosystem.
But we still see frequent warnings for users that very serious risks still remain. And that’s certainly the case this week, with two separate security reports. First to Kaspersky, which has warned of the risks from “modified versions of Spotify, WhatsApp, Minecraft, and other apps from Google Play.”
The researchers again highlight the dangers of the Necro Trojan, first reported on in 2019, when they “discovered a Trojan in CamScanner, a text recognition app, which had clocked up over 100 million downloads on Google Play. Now the ‘necromancers’ have injected new blood into the old Trojan: we found a version richer in features both in popular apps on Google Play and in various app mods on unofficial sites.”
Kaspersky says it found the trojan on a Spotify mod distributed outside Play Store, but also hiding in Wuta Camera, which “found its way onto Google Play, from where the app was downloaded more than 10 million times.”
The advice is simple. No to third-party stores, and a bigger no to mods for popular apps from unofficial sources. But “apps on Google Play and other official platforms should also be treated with a healthy dose of skepticism. Even a popular app like Wuta Camera, with 10 million downloads, proved powerless in the face of Necro.”
The trojan has evolved and its obfuscation is far advanced over its earlier iterations. Its intent remains the same, though: “Load and run any DEX files, install downloaded apps, tunnel through the victim’s device, and even—potentially—take out paid subscriptions. In addition, they can display and interact with ads in invisible windows, as well as open arbitrary links and run any JavaScript code.”
The second warning comes from Cleafy, which warns that in June it “identified an unclassified Android banking Trojan… a variant of TrickMo, albeit with newly incorporated anti-analysis mechanisms.”
TrickMo is an evolution of the infamous TrickBot, again with more advanced obfuscation and proactive masking from analysis to hinder discovery. Again TrickMo was first identified back in 2019, and so we see the common pattern again, as these threats evolve and harden as the constant game of cat and mouse continues, as the various defenses put in place around phones and stores improve.
TrickMo’s bag of tricks is impressively complete and includes:
- Interception of One-Time Passwords (OTPs)
- Screen Recording and Keylogging
- Remote Control Capabilities
- Accessibility Service Abuse
- Advanced Obfuscation Techniques
- Anti-Analysis Mechanisms
Again, not something you want on your phone. This malware is distributed by way of a fraudulent Chrome browser update, but one that when installed prompts users with “a warning message prompting users to update Google Play services.”
According to Cleafy, “the new app is deceptively named ‘Google Services’ and poses as a legitimate instance of Google Play Services. Upon launching, the app displays a window to ask the user to enable Accessibility services for the app.” This neat social engineering, disguising malware behind trusted names is unsurprisingly effective.
The common thread here is clear. Do not trust mods or updates or even initial installs of popular apps from anything other than official stores. Do not fall for unofficial mods from anything other than source. And even pay attention to official stores installs for trivial apps from unfamiliar developers.
As ever, the advice from Google will be to use Play Store and to ensure that Play Protect is enabled on your device; once threats are confirmed, this will defend you against infection by any future instances.
Here’s a refresh on the other golden rules for staying safe:
- Stick to official app stores—don’t use third party stores and never change your device’s security settings to enable an app to load.
- Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Once a month, scan through your phone and delete a few of the apps you no longer need or haven’t used in a long time.
- Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.