14 DAY TRIAL // ESET security researchers have discovered a new Android malware that’s spreading with the help of a third-party store and compromising the device for each first download that users begin.
Turkish third-party APK store CepKutusu has recently been discovered to be offering malicious downloads, with devices ending up infected with a banking malware that intercepts and sends SMS messages and provides attackers with the capability of installing other apps.
The “Download now” button that is displayed for each APK listed in the third-party store leads users to a malware download instead of the desired app, but it turns out that hackers have implemented a behavior that makes the button link to malware only the first time a user taps it.
For the next 7 days after getting the malware, a device is no longer served the infection, being provided instead with clean links. This is most likely a method that virus authors developed to remain under the radar longer.
Store operators remain tight-lipped
When installing the downloaded file, it doesn’t actually deploy the app that users wanted to download from the app store, but a fake Flash Player, which is being used to spread the malware.
While the malicious links have been removed from the app store, ESET researcher Lukáš Štefanko says a response from the store operators is yet to be received, so it’s still difficult to figure out how the malware ended up being served to users.
“There are three possible scenarios here: an app store built with the intention to spread malware; a legitimate app store turned malicious by an employee with bad intentions; and a legitimate app store becoming a victim of a remote attacker,” he says.
“As for scenarios two and three, I would think that such an attack wouldn’t go unnoticed by a legitimate store. User complaints, suspicious server logs and changes in code should be sufficient indicators for its operators – especially if it occurs over a prolonged period of time. Also of interest in this regard is that we contacted the store operators with our findings but haven’t received any reaction.”
As usual, the best way to avoid getting your Android device infected with malware is to avoid downloading apps from untrusted sources, especially from shady third-party stores that could easily inject a virus into what seems to be a legitimate app.