The mobile applications have innocuous-sounding names like Flappy Birr Dog and Flappy Bird, but something sinister lurks inside.
Spyware masquerading as those Android apps and others were downloaded over 100,000 times from the Google Play store last year, cybersecurity company Trend Micro said Thursday. Google has removed all of the apps from the store, but the episode is a reminder of the ease with which crooks can hide their malware in popular app markets.
The spyware is capable of siphoning call logs, SMS conversations, and clipboard items from a user’s phone, according to Trend Micro. Users in scores of countries around the world were affected, researchers said, with a third of infections taking place in India.
The so-called MobSTSPY spyware uses a cloud-messaging service to send the stolen information to a command-and-control server, registering the infected device. The malware then lies in wait for the attacker to send it commands from the server, Trend Micro said.
The malware can also steal credentials by using fake Google and Facebook pop-up screens, according to the research.
“If the user inputs his/her credentials, the fake pop-up will only state that the log-in was unsuccessful,” the Trend Micro blog says, “at which point the malware would already have stolen the user’s credentials.”
Google has been playing whack-a-mole with malware in its app store for some time. In 2017, security specialists removed roughly 700,000 malicious apps from the store.
But the problem of vulnerable apps creeping into stores isn’t unique to Google. In September, Apple had to pull a popular app from the Mac Store after researchers showed it was surreptitiously sending user data to a company in China.
The Trend Micro research shows that app stores remain a logical attack vector for hackers.
“The popularity of apps serves as an incentive for cybercriminals to continue developing campaigns that utilize them to steal information or perform other kinds of attacks,” the researchers wrote.