Fake Google Play site conceals rogue Android app

Barely has Google consolidated its services and renamed them “Google Play” then cybercriminals started exploiting it to target users of Android devices.

Computer security firm Trend Micro noted the emergence of many newly-created domains that imitate the Google Play site, and which contain malicious apps.

“(One such) malicious URL (with a .ru suffix) displays a fake Russian Google Play site. When translated to English, the text reads: ‘Download Google Play for Android Google Play is formerly known as the android market but now a vast and influential old android market combined with a store of books google ebookstore multi-format films and world music google music,” it said in a blog post.

“If anything, this attack shows just how quick cybercriminals can adapt to the fast-changing mobile landscape. Users are strongly advised to practice extreme caution when dealing with apps and app stores in general,” it added.

Earlier this year, Google renamed its Android Market to “Google Play,” where it also consolidated many of its services.

Trend Micro warned selecting the clickable images on the fake site would take visitors to another malicious Russian domain that offers suspicious Android apps.

Any attempt to download the Google Play application, google-play.apk, from the URL would point to a malicious file detected as ANDROIDOS_SMSBOXER.AB.

In turn, ANDROIDOS_SMSBOXER.AB leads to another malicious URL.

Trend Micro said ANDROIDOS_SMSBOXER.AB is a premium abuser type of mobile malware, which subscribes affected devices to premium services without the permission of the user, thus leading to unwanted charges.

It noted this malware is very similar to ANDROIDOS_OPFAKE.SME, an Android malware that gained notoriety for its ability to polymorph, or change its characteristics.

On the other hand, it noted the server that hosts ANDROIDOS_SMSBOXER.AB inserts unnecessary files into the APK to evade detection.

But it quoted Threats Analyst Kervin Alintanahin as saying this cannot be considered true polymorphic behavior, since no significant change is done to the APK’s source code.

“Due to this, security software can still easily detect the malicious files,” it added. — TJD, GMA News

Article source