Presto Change-o, Pixel Battery Saver Transforms into Potential Malware

Pixel Battery Saver once promised Android users a way to conserve battery life by applying a mesh of darkened pixels to the screen that dim the device display. With over 50,000 downloads, the app enjoyed some modest success, until recently.

The developer of Pixel Battery Saver was unable to monetize the app successfully, and instead sold it — and it’s user base — to a third party. Last week, the new owner updated the app on Google Play, but when the app was updated on installed devices, it actually became a different app called Complete Virus Protection. Unsuspecting users were left with an unknown and questionable app masquerading as an A/V solution which may actually be malicious.

After receiving several complaints, Google pulled the app from the Play store, but it has since been re-released under the old name and with an accompanying statement: “…Soon Releasing Ver37 update of the Pixel Battery Saver with the new buit in Antivirus feature to automatically scan all new app / game installs to keep your mobile phone free of viruses.”

What are the Potential Consequences?

Dynamic updating of an app is used by many app developers in order to provide specific customization for a device. This is mostly done for games using high-end graphics, but it’s also used in other cases to add features and to solve various issues such as overcoming Android platform gaps. This isn’t the same thing as a regular update – dynamic updating happens within the app and is an independent process that doesn’t require the Google Play store.

Updating an app is a necessary feature to maintain a great product. The problem is that the process can expose users to threats in a new way – updating existing legitimate apps with suspicious or malicious apps or with a malicious update. Most of the time, users will skim through requested permissions and almost automatically approve an application update. The fact that an app can simply morph into something completely different without any warning opens a whole range of security concerns:

• Legitimate apps can be bought by cybercriminals and replaced with malicious versions.
• Apps that started out harmless can receive malicious updates.

Has this Happened Before?

The Google Play store has a history of apps being updated with additional undesired features. For example, several highly popular strains of malware, such as Dropdialer and DroidKungFu, started as harmless apps on the Google Play Store and added their malicious capabilities via additional updates.

After the initial installation of a harmless app, packages containing malicious payloads were downloaded from the Internet sometime after application was installed on the device – either following the download of an update from the Google Play store or from a dynamic update from an outside (independent) source. This allowed the apps to remain undiscovered on the Play store for several weeks and to generate tens of thousands of installations.

Essentially, every type of malware can be downloaded and executed on a device using this “remote payload” method. The download action can be scheduled for specific or random dates in the future, or can even be initiated remotely by sending a command message to the devices.

How can users protect their devices from similar threats?

Cases that involve self-updating malware or apps with unorthodox updates and/or modifications (such as the case we’re dealing with here) cannot be detected by standard static code analysis techniques. Since the original version of the app is essentially harmless, these security solutions would miss the potential threat because they lack the relevant detection mechanisms.

Only solutions which include conclusive dynamic analysis of apps and can perform detailed network inspection would be able to identify threats such as this one.