Threat actors have turned to a sophisticated technique known as versioning to evade malware detection measures on the Google Play Store and focus on targeting Android users, particularly their sensitive credentials, data, and financial information.
Google’s Cybersecurity Action Team (GCAT) has highlighted this concerning trend in their August 2023 Threat Horizons Report, underscoring the severity of campaigns employing versioning. Although not a new strategy, versioning employs a subtle and elusive approach, allowing developers to initially release an innocent app version that successfully passes Google’s pre-publication checks. Subsequently, these apps are updated with malicious components, often facilitated through dynamic code loading (DCL) from attacker-controlled servers, effectively transforming the app into a backdoor.
One notable instance of this technique was the “iRecorder – Screen Recorder” app, which remained benign for almost a year on the Play Store before being surreptitiously modified to spy on users.
Another example, SharkBot, a financial trojan, repeatedly posed as legitimate security and utility apps to gain unauthorized access to compromised devices and execute unauthorized money transfers. The use of dropper applications is also prevalent, where an app with limited functionality is installed, subsequently downloading a complete malware version to attract less attention.
In light of these emerging threats, it is crucial for Android users to exercise caution by relying on trusted app sources like Google Play and enabling Google Play Protect for notifications about potentially harmful apps.
Furthermore, the evolving nature of versioning and its ability to exploit Android vulnerabilities underlines the necessity of implementing robust defense-in-depth strategies, especially in enterprise settings. This approach includes restricting app installation to trusted sources and utilizing mobile device management (MDM) platforms to manage and secure corporate devices, ultimately safeguarding against the persistence and stealth of versioning-based attacks.