September 17, 2021 - Blog
Google play and apple app stores distributing malware
Researchers at CheckPoint Software have discovered a new form of malware being distributed through a popular application in the Google Play Store. “The malware, packaged within an Android game app called BrainTest, had been published to Google Play twice. Each instance had between 100,000 and 500,000 downloads according to Google Play statistics, reaching an aggregated infection rate of between 200,000 and 1 million users.” The malware establishes a rootkit on the infected mobile device, opening a backdoor which could allow for the additional installation of a malicious program or the theft of user credentials. Additionally, it utilizes an anti-uninstall feature which re-downloads the malicious program if it is deleted by the user. The malware was capable of bypassing Google Bouncer, the Play Store’s anti-virus protection feature, by tracking IPs used by Google – if the program was opened by a Google-based IP address for testing, the malicious component of the application wasn’t launched.
Mobile security company Lookout also reported a malware infection called XcodeGhost distributed through the Apple App store that may have affected millions of iOS devices. “The malicious code may have hundreds of millions of victims and is present in well-known apps such as WeChat, a globally-popular messaging app with over 600 million active users, 100 million of which are outside of the U.S.; and CamCard, a Chinese-created business card reader, that has gained global popularity.” At this point, the full extent of the malicious program’s capability is not clear, with some reports claiming that it collects user data and others claiming that it can remotely command the infected device.
Similar to the BrainTest malware, XcodeChost used sophisticated methods to infiltrated Apple’s App Store. XcodeGhost's creators reverse engineered Apple’s application development tool Xcode to insert malicious code into legitimate apps. According to Lookout, “XcodeGhost’s creators repackaged Xcode installers with the malicious code and published links to the installer on many popular forums for iOS/OS X developers. Developers were enticed into downloading this tampered version of Xcode because it would download much faster in China than the official version of Xcode from Apple’s Mac App Store.”