ESET expert: Google Play porn clicker ‘is a truly large-scale campaign’

We Live Security sat down with ESET’s Lukáš Štefanko to discuss the porn clicker family and other mobile malware.

Lukas, are you sure that those malicious apps you discovered really belong to the largest malware campaign Android users have ever faced at Google Play?

“This is a true campaign: a single family of malicious apps masquerading as popular games or apps, designed to bypass Google’s security checks.”

First, I’d like to highlight that what we’ve see really is a campaign. It’s not that some bad guys attain a high numbers of downloads and then disappear after getting banned by Google. This is a true campaign: a single family of malicious apps masquerading as popular games or apps, designed to bypass Google’s security checks. These fake apps are being systematically modified to sneak past even advanced detection methods based on what the Bouncer (Editor’s note: Google Bouncer is the mechanism for checking applications submitted to the Google’s official app store) learnt from the malware’s previously discovered cousins. Also, the campaign has lasted seven months. In that time over 300 malicious apps have made it into Google Play with a million of downloads …

What’s Google’s response to this?

Well, Google’s security team of course fights this campaign and takes the apps off the store pretty frequently. But the malware’s authors keep pace and successfully upload new apps to the store. Generally, Google does a tremendous job in improving the security checks at the Play store. But in this particular case, the bad guys still have the upper hand.

Does it put Google Play users at risk?

In theory, yes. But that fact alone, that there are rotten apples on the shelf, doesn’t mean you have to put them into your shopping cart. In other words, those users who do care about what they download have a good chance of keeping malicious apps out of their devices.

If – and this brings us back to the malicious apps – you read the apps’ ratings, your risk from the whole family of clickers we are discussing is close to zero. As our analyses have shown, users share their bad experiences with these fake apps – but others don’t care. Quite frankly it’s hard to understand why people install apps with clearly negative ratings.

Maybe they are lured by positive comments …

Well, people should know that fake “positive” comments can be found everywhere – and why should fake apps be any exception? While it’s easy to post a few positive fake comments, it’s close to impossible to post enough positive ratings to influence the overall rating. Also, it’s really impossible to erase negative ratings. For this reason, it’s crucial, for the security of users, to pay attention to the proportion of negative ratings.

Unfortunately, in the case of this malware family, hundreds of thousands users did not pay attention. What harm did they suffer?

“This malware is running in the background without any signs that something fishy is going on.”

These fake applications are simple enough, but also certainly malicious enough that no user would want them on their phone if they knew their true purpose. Of course this threat does not belong to the category of more sophisticated malware such as mobile banking threats or the Simplocker crypto-ransomware. Instead, this malware is running in the background without any signs that something fishy is going on. From the user’s point of view, the harm lies in excessive data consumption, potentially resulting in increasing bills for mobile services or exceeding the data cap.

Is Google capable of stopping this campaign?

Google doesn’t disclose exactly how Bouncer and the human review team assess the apps submitted to the Play Store. They should probably apply more filters that actually execute the malicious code hidden in the fake app. Also clustering similar fake applications or scanning them with security software wouldn’t be bad idea.

Apart from the current clickers’ campaign, what else should Android users be aware of?

“File encrypting malware is the most dangerous type of malware.”

Unfortunately, mobile malware is on the rise. Malicious app developers now mainly focus on profit, and they often go directly after the users’ money instead of advertisers’. We often face banking scam malware luring internet banking or credit card information from the user.

Of growing significance is also ransomware, be it screen locking malware or file encrypting malware – the latter, in my eyes is the most dangerous type of malware. If the bad guys implement the encryption algorithm properly, there is no effective way for their victim to get their files back without paying the ransom. But even if you pay those 200-500 USD, you still don’t have any guarantees – don’t forget that you’re dealing with criminals.

So what’s your advice?

In case your files have been encrypted by ransomware and you don’t have a backup, even the police and FBI often recommend paying the ransom. However, my advice is do all you can to avoid getting into such a hopeless situation. Don’t delay taking security measures until something unusual happens – in most cases it’s too late as the device may already be compromised and the data lost.

Remember that smartphones and tablets tend to contain larger amounts of personal data – and credentials – than computers. The question is why people only focus on securing their desktop computers and notebooks while ignoring mobile threats?

Users should take the same security measures for their mobile devices that they have implemented on their computers – I mean using a quality security solution and having a backup of all their important data. On top of that, they should be reasonably paranoid when considering which apps to use and from where to install them.

Regarding app stores, I strongly recommend avoiding unofficial ones and never ever install apps through URL links in received text messages or emails.

Regarding the apps themselves, one simple security measure limits the risks substantially: checking the app’s reviews. Believe me, this is a powerful measure. If all users stick to this advice, we won’t face such large mobile malware campaigns.

Poll:

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.