In The Wild: Google Can’t Close the Door on Android Malware

Mobile Security Observations from the Check Point Research Team

After its presentations about “SideStepper” and trends in mobile attacks in BlackHat Asia, the Check Point mobile research team wasn’t surprised to find that the trends it pointed out continue. Google Play has been infiltrated by malware yet again, and as our colleague Avi Bashan pointed out about previous attacks on official app stores, the team has found additional samples of the malware in Google Play, even after it was supposedly cleaned.

The malware is “Android.Spy.277.origin” which infiltrated more than 100 apps on Google Play. The apps deceived user by being disguised as popular legitimate apps. Once the infected app is installed, the attacker can download the malicious APK called “” to the device remotely through the C&C server. To persuade the user to grant it permissions, the attacker uses social engineering. Interestingly, the research team found the very same malicious component in some instances of the Kemoge malware and in the Libskin malware family, both of which have rootkit capabilities.

After the malware is installed, it sends a wide array of information about the device to its C&C servers, including the user’s email address and location. The malware is triggered to send this information every time any app is launched on the device. The malware performs an additional malicious act: It pops up advertisements to gain fraudulent ad revenue. It also uses techniques that scare users into installing fraudulent apps by saying the device has battery issues which can be solved by the apps.


Even after Google removed these samples from Google Play, our research team found an additional app containing the same malicious payload. In this app, which has between 1M and 5M downloads, the malicious code is not referenced. This means it will not be initiated by the app itself, but it could be used as part of a larger attack.



This again demonstrates that users can’t strictly trust official app stores to stay protected. Malware can infiltrate these in multiple instances and can remain even after they are found. Unfortunately, this is not the first time this happened, and will most probably not be the last either.

Developers with good intentions but worst practices

It seems that many Android apps are vulnerable to “surreptitious sharing.” Using this vulnerability, researchers have managed to exploit several major app including Skype, Gmail and Telegram. The vulnerability is based on the Android Intent API used to share information between different Android app. This API supports sharing files by URI reference (Uniform Resource Identifier) indicating their locations, instead of sharing the actual file.

Malware can abuse the Android Intent API. A specially crafted intent sent to the target email or messaging app can point to resources inside the targeted app’s virtual memory. This information would otherwise be inaccessible from the attacking malware’s sandbox.

Both of these cases demonstrate how basic flaws created by app developers can expose users to attacks and data leaks. According to research conducted by Check Point of more than 1.5M different apps, nearly 43% of iOS and 46% of Android apps leak data. Leaking data can end up in the wrong hands, even if that wasn’t the app developers intention.

For the best protection, users should implement comprehensive solutions, which can defend against both leaky apps and malware.

Android 2015 security report recognizes Certifi-gate

Google’s annual Android security report mentions Certifi-gate, a vulnerability found by Check Point researchers, as one of the main app vulnerabilities of the last year.

“At Black Hat in Las Vegas, Check Point Software revealed an exploit against the authentication methodology used by several third-party mobile Remote Support Tools (mRSTs). mRSTs are not a part of the core Android OS and are not provided by Google. This vulnerability was named Certifigate. The vulnerability occurs with apps improperly validating the serial number on certificates, which was used to grant remote access to the device. mRSTs are frequently pre-installed on devices by manufacturers and others as a way to take remote control of a device to provide support for issues. Once we were alerted to the potential unauthorized use of this feature, we removed the apps from Google Play. We also added checks in Verify Apps to prevent potential exploitation by applications outside of Google Play. We have seen no exploitation of this vulnerability to date.“

Contrary to this claim by Google, Check Point researchers found an additional app exploiting this exact vulnerability, even after Google has claimed it scrubbed Google Play of such apps. So this again demonstrates how users cannot rely on official app stores to keep them safe.

Learn more:
Check Point Mobile Threat Prevention

See it in action:
Schedule a demo of Mobile Threat Prevention

Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.