More than 20 government-linked malwares were recently uncovered, evading the filters set by Google to pin point malwares and problematic apps from being listed on Google Play. Hackers working for a surveillance company were suspected of infecting hundreds of people with several malicious Android apps that were hosted on Google Play Store for months.
A joint study between Security Without Borders, a non-profit organization that often investigates threats against activists and human rights advocates, and Motherboard. The team behind the investigation published their detailed findings and technical reports on Friday.
According to a feature made by Motherboard, they have learned that a new kind of Android malware on the Google Play store was sold to the Italian government by a company that sells surveillance cameras but was only recently known to produce malwares. The said apps would “remain available on the Play Store for months and would eventually be re-uploaded.”
Tech experts have said that the hundreds of innocent users may have been infected by the malware operation because of the poor and faulty targeting systems. Law enforcement and legal experts have also echoed the possibility that such malware is illegal.
“We identified previously unknown spyware apps being successfully uploaded on Google Play store multiple times over the course of over two years. These apps would remain available on the Play Store for months and would eventually be re-uploaded,” the researchers said.
The spyware, named Exodus, aims to trick targets to install them and are designed to look like harmless apps to receive promotions and marketing offers from local Italian cellphone providers, or to improve the device’s performance.
When alerted by the researchers about the existence of the said apps, Google took them down and said that the company has found 25 different versions of the spyware over the last two years, dating back to 2016. While Google confirmed that that the number of victims is below 1000, they refused to provide more precise data on how many people are affected by the malware, nor any information related to the targets.
Exodus was programmed to act in two stages. In the initial stage, the malware would self-install and checks the phone number and it’s IMEI (the device’s unique identifying number) and validate whether or not it was a target. For that apparent purpose, the malware has a function called “CheckValidTarget.”
But researchers suggest through their investigation, the spyware app’s verification mechanism does not work probably. “This suggests that the operators of the Command & Control are not enforcing a proper validation of the targets,” the report noted. “Additionally, during a period of several days, our infected test devices were never remotely disinfected by the operators.”
During the period of the test conducted by Security Without Borders, the dummy phone used to investigate the malware has gained access to most of the sensitive data on the infected phones, such as audio recordings of the phone’s surroundings, phone calls, browsing history, calendar information, geolocation, Facebook Messenger logs, WhatsApp chats, and text messages.
Furtherm9oore, the spyware would open up a port and a shell on the device that would allow the operators to send commands to the infected phones. The researchers highlighted that these open shells are not programmed to use encryption, and the port is open to anyone on the same Wi-Fi network as the target. This means that anyone connected to the network can have access and send commands to the infected devices.
“This inevitably leaves the device open not only for further compromise but for data tampering as well.”
Google Play’s app filter is limited
Many have already raised the concern of the limits of Google’s filters that are meant to prevent malware from slipping into its official app marketplace. Both government-sponsored hackers and those that are working for different criminal organizations were known for uploading malicious apps to the Play Store. The new discover only highlights Google’s inability to protect Android users from destructive applications downloaded from Google Play Store.
Other tech experts have expressed how the discovery was alarming, but not surprising. According to Lukas Stefanko, a researcher for ESET, who specializes in Android malware, said that he was not surprised but was alarmed that malware continues to make its way past Google Play Store’s filtering mechanism.
“Malware in 2018 and even in 2019 has successfully penetrated Google Play’s security mechanisms. Some improvements are necessary,” Stefanko noted. “Google is not a security company, maybe they should focus more on that.”