The Google Cloud security team acknowledged a common tactic known as versioning used by malicious actors to slip malware on Android devices after evading the Google Play Store’s review process and security controls.
The technique works either by introducing the malicious payloads through updates delivered to already installed applications or by loading the malicious code from servers under the threat actors’ control in what is known as dynamic code loading (DCL).
It allows the threat actors to deploy their payloads as native, Dalvik, or JavaScript code on Android devices by circumventing the app store’s static analysis checks.
“One way malicious actors attempt to circumvent Google Play’s security controls is through versioning,” the company says in this year’s threat trends report.
“Versioning occurs when a developer releases an initial version of an app on the Google Play Store that appears legitimate and passes our checks, but later receives an update from a third-party server changing the code on the end user device that enables malicious activity.”
While Google says all applications and patches submitted for inclusion into the Play Store go through rigorous PHA (Potentially Harmful Application) screening, “some of those controls” are bypassed through DCL.
Google explained that applications found engaging in such activities breach the Google Play Deceptive Behavior policy and could be labeled as backdoors.
Per the company’s Play Policy Center guidelines, apps distributed through Google Play are explicitly barred from altering, substituting, or updating themselves through any means other than the official update mechanism provided by Google Play.
Additionally, apps are strictly prohibited from downloading executable code (such as dex, JAR, or .so files0 from external sources to the official Android App Store.
Google also highlighted a specific malware variant named SharkBot, first spotted by Cleafy’s Threat Intelligence Team in October 2021 and known for utilizing this technique in the wild.
SharkBot is banking malware that will make unauthorized money transfers via the Automated Transfer Service (ATS) protocol after compromising an Android device.
To evade detection by Play Store systems, the threat actors responsible for SharkBot have adopted the now common strategy of releasing versions with limited functionality on Google Play, concealing their apps’ suspicious nature.
However, once a user downloads the trojanized app, it downloads the full version of the malware.
Sharkbot has been camouflaged as Android antivirus software and various system utilities and has successfully infected thousands of users via apps that passed the Google Play Store’s submission checks for malicious behavior.
Cybersecurity reporter Brian Krebs also highlighted the use of a different mobile malware obfuscation technique for the same purpose, recently unveiled by ThreatFabric security researchers.
This method effectively breaks Google’s app analysis tools, preventing them from scanning malicious APKs (Android application packages). As a result, these harmful APKs can successfully install on users’ devices, despite being labeled as invalid.