By 
Google has been busy with its delete button, with multiple threats sneaking their way inside Android’s best secured app vault. This comes hot on the tail of the latest warning that Android is under attack.
A deadly Anatsa/Teabot malware was removed from the store after an ad fraud scheme that resulted in the removal of 180 apps with 56 million downloads. Phishing Play Store sites are also being used to deceive consumers into installing dangerous apps.
Now another threat has been outed, with Google confirming all the newly “identified apps” hiding a nasty new spyware have also been ousted from Play Store. This latest warning came courtesy of Lookout, which attributed the new KoSpy malware “to the North Korean group APT37.
By Gamuchirai Mapako
The team says the spyware “can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots”, targeting users in multiple countries.
This most recent alert obviously calls into question the barriers Google has put up around the Play Store. Google’s claim to be a protector of Android users’ security is falling short once again. It’s evident that Google is still having trouble keeping dangerous spyware, like KoSpy, out of its ecosystem, even after removing a number of malicious apps from the Play Store recently.
The new malware attacks seemingly dates back at least to early 2022 and is still in the wild now.KoSpy has been observed using fake utility application lures, such as ‘File Manager’, ‘Software Update Utility’ and ‘Kakao Security,’ to infect devices.
The spyware comes with an impressive list of capabilities like collecting SMS messages, call logs, retrieving device location, accessing files and folders on the local storage, recording audio and taking photos with the cameras, capturing screenshots or recording the screen while in use, recording key strokes by abusing accessibility services, collecting wifi network details and compiling a list of installed applications.
While none of the identified apps remain on Play Store, they will be available elsewhere. As well as KoSpy, users are advised to remove any of the ad fraud and Anatsa apps which Google has also confirmed have been deleted from the store. Users should also ensure Google’s Play Protect is enabled at all times on your device.
Google Play Protect automatically protects Android users from known versions of this malware on devices with Google Play Services, even when apps come from sources outside of Play.”
A timely new report from UCL in London has just warned that “some ‘unofficial’ parental control apps have excessive access to personal data and hide their presence, raising concerns about their potential for unethical surveillance as well as domestic abuse,” highlighting that sideloaded apps are much riskier than those on Play Store.
The new study “is the first to compare ‘official’ parental control apps available in the Google Play Store and ‘sideloaded’ or ‘unofficial’ parental control apps available from other source.
The team found that sideloaded apps were more likely to hide their presence from the phone user and require excessive permissions, including ‘dangerous’ permissions such as being able to access personal data, like precise user location, at all times.
The study reveals that turning off Google Play Protect can cause sideloading problems, especially for children’s phones. 17 out of 20 sideloaded apps advise users to turn it off, as it may identify harmful parental control apps and disable them. 13 apps were detected by Google Play Protect version 42.1.27-31, whereas seven were not considered to be harmful: Bark, EvaSpy, FlexiSpy, Spapp Monitoring, SPYX, TheOneSpy and TiSpy.
This is just the latest report to highlight sideloading risks, which Google itself warns is dangerous. The interesting part is that parental control apps by their nature will ask for excessive permissions to operate. It’s a boon for data harvesters to be able to operate in this way on your phone. But for apps in such a sensitive area to be able to lure users into installing, potentially disabling Play Protect in the process, is dangerous.
While Samsung is hardening its devices against sideloading more than Google, the Android-maker has been more vocal on the dangers from installing apps from outside Play Store, notwithstanding this latest Play Protect change.
All this is made more complex by current regulatory pressure on Google and Apple to open up their devices to app stores beyond their own.
Google has long promised to eradicate such abuse, removing these apps from Play Store and monitoring on-device behaviour. But all this remains work in progress. Multiple warnings last year highlighted just how rife such Play Store abuse remains.
With even Samsung now set to release Android 15 with its One UI 7 release, attention will quickly turn to Android 16, which is due for release in June, a quarter ahead of the usual annual cycle.
While this will put pressure on Android OEMs, it is good from a user perspective, bringing new security and privacy innovations. One of these will be Google’s extension of its Advanced Protection Program, which will now add a flag for apps on an enrolled device to shore up security and will also block sideloading. Beta 3 of Android’s next OS has just been released for Pixel users.
Comments