Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How did a malicious app slip past Google Play app store security?

A malicious app called Black Jack Free was able to bypass Google Play's app store security. Expert Michael Cobb explains the threat and how enterprises should defend themselves.

A banking Trojan was recently discovered in a malicious app in the Google Play store. How was this mobile app able...

to bypass Google's security defenses, and should enterprises be concerned about the inability of app stores to spot a malicious app harboring a Trojan?

The malicious app Black Jack Free was discovered by researchers at mobile security company Lookout. The app was available for download for four days before Google withdrew it from the official Play store; Lookout estimates it was downloaded around 5,000 times during this period. According to Google's second annual Android Security report, the percentage of apps carrying malware that made it into the Play store in 2015 was just 0.1%. However, given the vast quantity of apps that are available, it shows there are still a few hackers who are able to sneak their malware through Google's security checks.

Google has two main safeguards to keep malicious mobile apps out of the Play store: it performs manual reviews when apps are submitted, and it uses various automated tools, including its in-house antivirus system called Bouncer, to analyze apps for known malware and terms of service violations before they are published. It also looks for behaviors that indicate an application might be misbehaving by simulating how it will run on an Android device.

However, hackers have developed various tactics to evade these app store security controls. Some take the low and slow approach to evasion. Malware authors can take several months using different names, games and techniques to see which apps with what functionality they can get published without triggering any warnings or alerts from Google; the manual approval process can often be measured in hours so it's not necessarily that comprehensive. Once an app makes it to the store, its author can turn on or add malicious functions and features. Sometimes prior to that, other apps are used to give the new app positive reviews and ratings, to increase its apparent legitimacy and appeal and the potential number of downloads.

Another technique used to disguise an app's true intentions is to use dynamic loading. Dynamic loading enables an application to only load components as they are specifically requested. It is used legitimately to reduce the size of an executable file and improve performance when certain dependent components are not regularly required. This same technique can be used to delay the loading of malicious code or configuration parameters until the app has passed verification and been installed. This is what the Black Jack Free malware does; it silently downloads a secondary app that displays overlay windows over legitimate apps such as Facebook, Skype and various banking apps to trick people into entering their online credentials and credit card information -- a similar technique to ATM skimmers installed over an ATM's card reader.

App stores, particularly small, unregulated ones, will always host a percentage, no matter how small, of malicious apps. This means enterprises need to enforce some form of mobile security policy to control what types of devices can connect to the network, as well as providing additional security controls to protect their users, such as ESET Mobile Security & Antivirus or Avast Mobile Security & Antivirus. Users should be taught to be wary of free apps that appear to be too good to be true, to read comments from people who are already using them and to consider whether the permissions that an app requests during installation are justified. Apps should only be obtained from the official device vendor stores or the enterprise's own app store, if it exists. In the case of Android devices, the Verify apps option should always be turned on, as this checks apps when they're installed and periodically scans the device for potentially malicious app updates.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn how to identify malicious apps disguised as real apps

Find out the risk behind sideloading Android apps

Discover the basics of Android app security

This was last published in September 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal