By Richard Arneson
It’s been over three (3) years since Google announced that developers could no longer publish applications on Google Play willy-nilly—that is, without their apps having first been vetted. But that vetting process is largely handled like it is on Apple’s App store—manually. Yes, people are their main source of Malware and app violation detective work. And when there are almost 3 million apps on Google Play, there’s plenty of room for oversight. When people are involved, mistakes are made. And that was made evident this past Tuesday (Nov. 13th) when Lukas Stefanko, a Malware researcher from Slovakia, published his findings. Stefanko discovered four (4) apps on Google Play that were designed to dupe users into inadvertently coughing up their cryptocurrency.
“The Crypto 4”
Stefanko discovered an app that appeared to be developed and offered by legitimate cryptocurrency Ethereum. The app was only downloaded a few hundred times due to its $388 price tag, but when multiplied several times over, the malicious developers did all right for themselves.
Stefanko discovered three (3) apps that mimicked legitimate cryptocurrency wallet companies NEO, Tether and MetaMask.
Cryptocurrency wallets generate a public address and a private key for the user. In the case of NEO and Tether, however, the user was unknowingly provided with the attacker’s public address. Once the app was launched, the user believed that public address had been assigned to them. Then the attacker used their private key to access funds the user had deposited. And when the user would try and access those funds, they didn’t have the private key to withdraw them. It was discovered that the fraudulent NEO and Tether apps were utilizing the same malicious public address.
The MetaMask scam phished for users’ wallet password and private key, asking them to provide both. And if the user believed they had accessed MetaMask—the real MetaMask—it’s quite possible they lost some of their treasured crypto.
Stefanko reported all four (4) scams to Google Security, and they were promptly removed from Google Play.
What is Google doing to prevent this?
They already have…sort of. On July 27th, Google followed Apple’s lead, banning crypto-mining apps that were carried on Google Play. (Apple banned them a month earlier, in June). Google gave developers a 30-day grace period to revise their apps to comply with the new ban. But as recently as last week, it was discovered (not by Stefanko, in this case) that there were still eight (8) crypto-mining apps available from Google Play. Google has reported that three (3) of those apps have been removed, but apparently the following still exist: Crypto miner PRO, Pickaxe Miner and Pocket Miner. Another, Bitcoin Miner, is still carried on Google Play, but is reportedly in compliance with Google’s revised terms.
But before you label Google as being grossly negligent, it’s important to note that last year they jettisoned over five hundred (500) apps that could have easily installed spyware on users’ devices. They’re not sitting by idly. These 500 apps had been downloaded over 100 million times. Thankfully the developer of these apps, Lgexin, wasn’t operating in a malicious manner. They had accidentally created a backdoor security vulnerability, but if they were so inclined, they could have infected millions of devices via malicious plugins.
They’re not banning everything
Google doesn’t have anything against cryptocurrency, just the mining of it on devices that can download apps from Google Play. Apps from cryptocurrency exchanges are still on there, and will be for many years to come.
To find out more about the many threats that may can target your organization, contact GDT’s tenured and talented security analysts at SOC@GDT.com. From their Security- and Network Operations Centers, they manage, monitor and protect the networks of companies of all sizes, including those for some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.