Attackers use dynamic code loading to bypass Google Play store’s malware detections

Pierluigi Paganini August 04, 2023

Threat actors rely on the ‘versioning’ technique to evade malware detections of malicious code uploaded to the Google Play Store.

Google Cybersecurity Action Team (GCAT) revealed that threat actors are using a technique called versioning to evade malware detection implemented to detect malicious code uploaded to the Google Play Store.

The technique is not new but continues to be effective, multiple malware such as the banking Trojan SharkBot used it to bypass checks implemented by Google for its Play Store.

Threat actors initially upload to the Play Store harmless Android applications that later download malicious updates after installation.

“Campaigns using versioning commonly target users’ credentials, data, and finances.” reads the Google Cybersecurity Action Team’s August 2023 Threat Horizons Report. “In an enterprise environment, versioning demonstrates a need for defense-in-depth principles, including but not limited to limiting application installation sources to trusted sources such as Google Play or managing corporate devices via a mobile device management (MDM) platform.”

Attackers rely on dynamic code loading (DCL) to push a malicious update.

This is achieved by pushing an update from an attacker-controlled server to serve malicious code on the end user device using a method called dynamic code loading (DCL), effectively turning the app into a backdoor.

“One way malicious actors attempt to circumvent Google Play’s security controls is through versioning. Versioning occurs when a developer releases an initial version of an app on the Google Play Store that appears legitimate and passes our checks, but later receives an update from a third-party server changing the code on the end user device that enables malicious activity.” continues the report. “One common form of versioning is using dynamic code loading (DCL).”

According to the report, Apps using the DCL loading mechanism violate Google Play Deceptive Behavior policy and may be labeled as a backdoor.

The report analyzed SharkBot as a case study for the abuse of the DCL (aka MITRE T1407) technique to download and execute code not included in the original application after installation.

The DCL technique allows attackers to evade static analysis and checks implemented by the Google Play Store before the publication of the app.

The variants of SharkBot that were discovered on the Google Play Store had reduced functionality, a tactic used to evade detection.

Google recommends Android users to download apps only from trusted stores and keep their device’s software up-to-date.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

you might also like

leave a comment