We've reported previously that malicious apps were discovered in the official Android app store, which is now known as Google Play. While those reported apps were removed, more malicious apps have been seen in the official marketplace and appear to be still victimizing users. This is just one of the important reasons why we feel that a technology like our Trend Micro Mobile App Reputation is crucial in users’ overall mobile experience and security.
In total, we have discovered 17 malicious mobile apps still freely downloadable from Google Play: 10 apps using AirPush to potentially deliver annoying and obtrusive ads to users and 6 apps that contain Plankton malware code.
|Application Name||Package Name||App Developer||Brief Behavior Description|
|Spy Phone PRO+||com.spinXbackup.backupApp||Krishan||Sends out GPS location, SMS and call log|
|微笑的小工具||com.antonio.smiley.free||Antonio Tonev||Connects to C&C server and waits for the command|
|應用程序貨架||com.antonio.wardrobe.apps.lite||Antonio Tonev||Connects to C&C server and waits for the command|
|小兔子射氣球||com.christmasgame.balloon||Ogre Games||Connects to C&C server and waits for the command|
|阿維亞拼圖||com.macte.JigsawPuzzle.Aviation||Macte! Labs||Connects to C&C server and waits for the command|
|山拼圖||com.macte.JigsawPuzzle.Hills||Macte! Labs||Connects to C&C server and waits for the command|
|食品謎||com.macte.JigsawPuzzle.Food||Macte! Labs||Connects to C&C server and waits for the command|
|NBA SQUADRE PUZZLE GAME||com.bestpuzzlesgames.NBA1||Crisver||Pushes applications and advertisements to user|
|NFL Puzzle Game||com.bestpuzzlesgames.nfl||Crisver||Pushes applications and advertisements to user|
|本機拼圖||com.macte.JigsawPuzzle.Indians||Macte! Labs||Pushes applications and advertisements to user|
|拼圖：紐約||com.macte.JigsawPuzzle.NewYorkCity||Macte! Labs||Pushes applications and advertisements to user|
|Cricket World Cup and Teams||com.bestpuzzlesgames.cricket||Crisver||Pushes applications and advertisements to user|
|怪物3D||com.killu.m3d||Killugames||Pushes applications and advertisements to user|
|最佳設計的鞋子||com.killu.bds||Killugames||Pushes applications and advertisements to user|
|爆轉陀螺益智||com.manic.bb||Manic Puzzles||Push applications and advertisements to user|
|芭比好萊塢之謎||com.espu.bho||Puzzles||Push applications and advertisements to user|
|芭比娃娃夢幻之謎||com.espu.bafa||Puzzles||Push applications and advertisements to user|
Among them, one app which explicitly describes itself as a spying app has also been flagged as a threat by Trend Micro due to its potential for misuse. This particular threat is known as ANDROIDOS_PDASPY.A. Its Google Play page makes it clear what its purpose is:
The attacker must initially install and set up this particular app onto the target phone, as can be seen in the following screenshots:
Its capabilities include tracking a phone’s location, phone calls, and messages. Once the attacker presses the “Save & Start” button, the attacker can then track the device via the website given:
Most of these apps have been downloaded several thousand times. The above PDASpy app appears to have been downloaded more than 100,000 times. Collectively, the detected apps have been downloaded more than 700,000 times. Users not running any mobile security app may be victimized by annoying ads (AirPush) or the apps’ (Plankton) malicious connections to remote C&Cs.
We discovered these apps as part of our Mobile App Reputation efforts. We continuously monitor both official and third-party app stores for both newly uploaded and popular apps and check for the behavior of these apps. We look not just for malicious behavior, but also bandwidth-consuming and battery-consuming routines. Trend Micro Mobile Security Personal Edition is capable of detecting the threats we mentioned above.
- Read up about mobile malware information from the Mobile Threat Information Hub
- Watch the Mobile App Reputation video on the CTO Insights blog
- Read about the Trend Micro Mobile App Reputation
Update as of 1:59 AM PST
Google already removed some apps cited on this blog post. We will continue to monitor this case and update this entry for any progress.