14 DAY TRIAL // An Android call recording application with hidden malicious code designed as a malware dropper was found by malware researcher Lukas Stefanko in the Google Play store.
At the moment Stefanko discovered the "Simple Call Recorder" application published by FreshApps Group already had over 5,000 installs and it was available on Google Play for since November 30, 2017.
Although Simple Call Recorder was a functional call recorder it also had another hidden purpose which " was to download an additional app and trick the user into installing it as Flash Player Update," according to Stefanko.
The malicious app tries to compromise the device it is installed on by decrypting a binary file which it loads from its assets, dynamically loading it, and subsequently asking the user to install a fake flash updater from http://adsmserver[.]club/up/update.apk (the installer is now removed and redirects to Google's AdMob.)
Because the malware payload was no longer available, it's impossible to know what the FreshApps Group Android developer used it for but, given the way it was designed to be downloaded on the targeted devices, it's quite evident that it was a malicious tool.
The malicious call recording app was used as a malware dropper for almost a year
"Simple Call Recorder lasted on the Google Play almost for a year, which is really a long time before being removed, if we consider that the app contained flashplayer_update.apk string inside," said the researcher. "Even though I could not retrieve the downloaded application, this functionality is still – based on Google Play policy explicitly prohibited."
This is not the first time Stefanko found a Trojan-ridden app in the Google Play store. In September he discovered a banking Trojan also camouflaged as a legitimate phone call recording Android app which was stealing banking info from compromised Android devices.
Moreover, the banking Trojan spotted two months ago was installed on more than 10,000 Android devices, and it was capable of stealing banking credentials using Android's accessibility services even when SMS two-factor authentication was enabled.
In addition, Stefanko also unearthed 29 other infected Android apps from August until early October 2018 in the official Android store, which were impersonating as legitimate banking apps and used phishing forms to collect banking credentials.
