Google still fails to prevent malicious apps from being listed on its app store, but it seems that some developers who were cited are not even kicked off the platform. Malwarebytes security software company reported tuesday that four apps listed by developer Mobile apps Group contain well-known malware used to steal user information. At the time of writing, all four apps are still listed on Google Play Store.
Worse still, Malwarebytes wrote that the developer in question had previously deployed malware to their apps, but was still able to list their apps on Google’s main app store.
The apps are listed by the company Mobile apps Group, whose listing on Play Store includes the slogan “By using the smart app, you ensure strong and reliable Bluetooth pairing with any device”. Applications include:
- Bluetooth Auto Connect
- Driver: Bluetooth Wi-Fi, USB
- Bluetooth app sender
- Mobile transfer: smart switch
Nathan Collier, a malware intelligence analyst for Malwarebytes, wrote that when users first install Bluetooth Auto Connect, there is a delay of several days before it starts opening phishing sites in Chromium. These sites run in the background even if a device is locked and open automatically when users unlock their phone. These phishing sites would include porn sites that lead to phishing pages or other sites that spam users with messages that they have been hacked and need to update.
The mobile app group has been cited twice in the past for listing apps infected with malware, according to Collier. Other cybersecurity researchers have blogged on an earlier version of Bluetooth Auto Connect. Two days after this blog post and subsequent delisting, the developers released a 3.0 version on Google Play, which means that these malicious developers didn’t even receive a trial period. The developers released the current version 5.7 of the app last December, which means the malware has potentially stayed for almost a year.
Google did not immediately respond to Gizmodo’s request for comment. Google has a declared policy against any application containing malware of any type, and the system claims that it notifies users if it detects a violation of its malware policy.
Collier wrote that the first log entry of the malware called Android/Trojan.HiddenAds.TBGTHB is recorded a few hours after installing the app, although the time before installing it varies between different apps.
There have been many other high-profile malware app scandals on Google Play, including a Muslim prayer app who collected users’ phone numbers. Last year, Google started nine other applications from its store after researchers discovered it was using malware to steal users’ Facebook credentials.
Delaying malware infiltration is a common way for bad actors to circumvent App Store filters, Collier wrote. It’s still unclear why Google couldn’t detect these apps, but another recent report from a cybersecurity firm Bitdefender noted there were other 35 rogue apps listed on play store which amassed more than 2 million downloads in total. This August report noted that once these apps are installed, they rename themselves and change their app icon in order to confuse users and avoid detection. One same earlier report from July by Dr. Web noted that a few dozen other malware-infected apps were modifications of known malware.
Google Playy Protect is the company’s built-in malware defense program and, according to its own page, it scans more than 100 billion apps on Google Play every day. But researchers have previously noted that it so often fails to catch malware, ranked last among other security apps in 2021 tests by computer security researchers at AV Test.