A part of what makes Google Play a better experience for developers is that they can easily publish to the store without an extensive wait between submission and actual distribution. That’s because the apps are tested by computers for specific conditions and then allowed to publish. Further investigation is done afterwards to assure that they are indeed completely following the rules and if they aren’t, sometimes they’re removed and the developers’ accounts are terminated without warning.
Unfortunately, that sometimes has downsides in the form of things slipping through and having the potential to cause damage to user’s devices or worse. In October 2015, Lookout started monitoring a group of apps that were exhibiting behavior similar to that of the Brain Test family of malware. According to Lookout’s blog post, developers spent 2-3 months experimenting to see what types of names, games, and techniques they could use to publish to Google Play without being detected, then on December 23rd one of the apps, Cake Tower, was updated to take on its malicious properties.
According to the original blog post from the discoverers of Brain Test, Check Point, this is done by publishing a relatively benign-looking app to the Play Store and then have that app download an additional package that will attempt to take advantage of known exploits to root the device. If root is achieved then it will install a malicious app to the system partition of the device so that even if the user removes the original offending application, the malicious app is permanently installed to the device. From there, these apps are designed to download other applications to the device as a paid service to other developers that want their apps more widely distributed. While they are making their money on guaranteed application-installs, this type of exploit could be much more nefarious.
After the update was published to Google Play, Lookout reported it and all of the developer’s other apps to Google on December 29th and they were promptly removed. Lookout warns that once the app has been installed to the system partition, a factory reset will not remove it because factory resets don’t wipe the system partition. Their recommendation is to obtain a factory image from your device manufacturer and flash it to completely remove the offending application. After examining how deeply these apps tend to borough themselves into devices, it seems like that’s the least headache-inducing option if you’re comfortable with it (and your phone OEM will provide you with an image). If either of those aren’t true, your best bet would probably be to call customer service for your carrier or device OEM to see what they can do.
The conclusion offered by Lookout is to, well, lookout for apps or games that seem fishy. They also recommend that you install a security app (like Lookout) to your phone to be sure that you’re protected from apps like these.
[blockquote author=”Lookout”]While it’s definitely true that users are considerably safer when downloading only from a mainstream source like the Google Play Store, we recommend users remain cautious and use additional security software to ensure the safety of their device.[/blockquote]
Ultimately, these apps are few and far between and while it’s definitely good to remain cautious, it’s unlikely any of them will ever surface in the top apps in the Play Store or will be removed before they do.