Malware lurks behind every app in another Android store
ESET researchers have discovered an Android application store distributing malware on a large scale.
ESET researchers found that CepKutusu.com, a Turkish alternative Android app store, is distributing malware under the guise of all Android apps offered.
When users browsed Turkish alternative app store CepKutusu.com and proceeded to download an app, the “Download Now” button led to banking malware instead of the desired app.
Weeks after ESET researchers turned to the store operator with discovery of the attack, the store’s malicious activity ceased.
Interestingly, although ESET researchers found that redirecting a legitimate app to a malicious app was general – meaning every app had to be replaced with the banking malware – the crooks behind the campaign added an exception.
Probably to increase their chances of staying under the radar longer, they introduced a seven-day window to not serve malware after a malicious download. In practice, once the user downloads the infected application, a cookie is set to prevent the malicious system from prevailing, which allows the user to receive clean links for the next seven days. After this period has passed, the user is redirected to the malware once they try to download an app from the store.
The malicious application distributed by the store at the time of the investigation was remotely controlled banking malware capable of intercepting and sending SMS messages, displaying fake activity, as well as downloading and installing software. ‘other applications.
Once installed, the malware does not imitate the application the user intended to install. Instead, it mimics Flash Player.
To better understand this attack and its wider implications, we turned to Lukáš Štefanko, a malware researcher at ESET who specializes in Android malware and who discovered the Malware Distribution App Store.
An app store serving its customers with large-scale malware – that sounds like a big threat. On the other hand, serving Flash Player instead of what customers wanted – that’s a pretty slim disguise. What is your opinion on this?
First of all let me say this is the first time I have seen an entire Android market infected like this. Within the Windows ecosystem and in browsers, this technique has been known to be in use for some time. In the Android ecosystem, however, it is truly a new attack vector.
As for the impact, what we saw in this particular case was most likely a test. The crooks abused their control of the App Store in the easiest way. Replacing links to all apps with a link to a single malicious app requires virtually no effort, but it also gives the store customers a fair chance to spot the scam. If you were drawn to downloading a popular game and ended up with Flash Player instead… I think you would uninstall it immediately and report the problem, right?
This could explain why we only saw a few hundred infections.
From this point of view, it does not seem very serious …
Well, like I said, it was probably a test. I can imagine a scenario where the crooks who control the back-end of the store add malicious functionality to each of the apps in the store. Serve people interested in a particular game with a Trojan version of that game – this would remove the larger red flag and the number of victims could increase dramatically.
As to the attribution of this attack, have you found any traces?
There are three possible scenarios here: an app store built with the intention of spreading malware; a legitimate app store turned malicious by a malicious employee; and a legitimate application store falling victim to a remote attacker.
As for scenarios two and three, I think such an attack would not go unnoticed by a legitimate store. User complaints, suspicious server logs, and code changes should be sufficient indicators for its operators, especially if they occur over an extended period of time. It is also interesting in this regard that we contacted the store operators with our findings, but received no feedback.
How to protect yourself
- If possible, always prefer downloading apps from official app stores. This advice is repeated over and over again for good reason: there are no guarantees of security measures at alternative app stores, making it a great place for malware writers to distribute their “work.” , And not just through single malicious apps, but also on a mass scale, as illustrated in this case.
- Be careful when downloading content from the Internet. Pay attention to anything suspicious in the name, size and extension of the file – this is where many threats can still be recognized and avoided in time.
- Use a reliable mobile security solution to protect yourself from the latest threats. As for this threat hidden in CepKutusu.com alternative app store, ESET detects it as Android / Spy.Banker.IE and prevents its download.