from ars technica
This week, Symantec Threat Intelligence’s May Ying Tee and Martin Zhang revealed that they had reported a group of 25 malicious Android applications available through the Google Play Store to Google. In total, the applications—which all share a similar code structure used to evade detection during security screening—had been downloaded more than 2.1 million times from the store.
The apps, which would conceal themselves on the home screen some time after installation and begin displaying on-screen advertisements even when the applications were closed, have been pulled from the store. But other applications using the same method to evade Google’s security screening of applications may remain.
Published under 22 different developer accounts, all of the apps had all been uploaded within the last five months. The similarity in coding across the apps, however, suggests that the developers “may be part of the same organizational group, or at the very least are using the same source code base,” May and Zhang wrote.
Most of the applications claimed to be either photo utilities or fashion-related. In one case, the app was a duplicate of another, legitimate “photo blur” application published under the same developer account name—with the legitimate version having been featured in the “top trending apps” category of Google Play’s Top Apps charts. “We believe that the developer deliberately creates a malicious copy of the trending app in the hope that users will download the malicious version,” May and Zhang concluded.