A new piece of Android malware has been discovered with two components: a downloader available on Google Play and the spyware app it downloads. The authors have disguised their scheme under the guise of font-installing apps.
Offering an app that claims to download more content is a rather simple way to bypass Google Play’s security systems. This is a perfect example of why humans need to approve apps before they can arrive in an app store, and why each feature needs to be tested thoroughly.
We have verified that the two apps found by Webroot are still available on Google Play. The good news is that the first app had less than 100 downloads and the second had somewhere between 10,000 and 50,000 – hardly popularly apps by Android’s standards.
It’s not currently clear if other similar apps are available, but it’s easy to see how they could be modified from claiming to push fonts, to other content, such as music, videos, or games – this would lead to a dramatically larger potential install base. What is downloaded by these apps could also be modified by simply plugging in a different URL, as you can see from the apps’ code:
The downloaded spyware is called iKno Android Spy. Here are its features, according to the app’s website:
- SMS: Get to view incoming, outgoing and draft SMS by logging in to your web portal. Synchronization is almost instant. All messages will be forwarded to your account even if they are immediately deleted.
- Call Logs: Just like SMS, all incoming, outgoing and missed calls can be forwarded to your registered account. You will be able to view the call number, time and duration.
- Location Updates: Get to know the exact location of the device you are monitoring. You can request the device to send you the location details to your online account where you will view via a map.
It’s not clear if iKno Android Spy does everything as described, or it also sends the data back to someone else as well. It’s fair to say, however, that if another app is downloading it, you don’t have control over what iKno is doing.
We have contacted Google about this threat. We will update this article if we hear back and when it is removed.
Update on May 11: The apps have been removed from Google Play.
Top Image credit: Ali A