Two malicious applications containing spyware have been found in the Google Play store, with both apps linked to the same developer and impacting around 1.5 million users, according to security alert from Pradeo. The apps, called File Manager and File Recovery and Data Recovery, were swiftly removed by Google once notified by researchers.
Unlike most malicious apps that require user interaction to deliver malware, these spyware apps relied on permissions instead. They were able to induce device restarts through the advanced permissions they requested, allowing the apps to launch and execute themselves automatically upon restart.
Roxane Suau, a researcher at Pradeo, explained that file manager applications and junk cleaner apps are often exploited for malicious purposes due to the elevated permissions required for their functionality.
In addition to manipulating permissions, the spyware apps also misrepresented the amount of data collected. This raises concerns about the security controls in place for applications available on the Google Play store, as highlighted by Melissa Bischoping, the director of endpoint security research at Tanium.
Bischoping argues that users are often encouraged to trust the data privacy and safety reports on an app’s page in the store, and these deceptive practices undermine trust in all apps, not just the ones analyzed in the Pradeo report. With over 3.5 million apps in the store, conducting extensive analysis of each app’s privacy and security practices would be a daunting task. This incident underscores the need for tighter vetting and control over what is published on the platform.
The impact of these malicious applications on enterprises is particularly significant when bring your own device (BYOD) policies are in place. Bischoping emphasizes that implementing a BYOD policy can result in the unmanageability of mobile devices for large organizations. This lack of control means an employee may install various apps and grant extensive permissions, potentially compromising corporate data.
Mike Parkin, a senior technical engineer with Vulcan Cyber, suggests that enterprise-owned devices should have restrictions in place to prevent the download of these applications. If the company owns the device, they have every right to regulate what is installed on it.
However, for organizations with BYOD policies, restricting app downloads is more challenging. Parkin suggests that such organizations publish their expectations and, when necessary, block infected devices from accessing enterprise assets.
While malicious applications are not new, John Gallagher, vice president at Viakoo Labs, hopes that incidents like the discovery of these spyware apps will prompt enterprise security teams to reevaluate their policies. Gallagher acknowledges that applications inflating their download numbers, obtaining unnecessary permissions, and violating personal information policies and laws are already existing attack vectors. These recent threats may push organizations to screen company-provided devices for potentially harmful apps or monitor their network traffic to detect any issues.