Google is still failing to prevent rogue apps from being listed on its App Store, but it seems some named developers aren’t even being kicked off the platform. Security software company Malwarebytes reported on Tuesday that four apps listed by developer Mobile apps Group contain well-known malware used to steal user information. At the time of writing, all four apps are still listed on Google Play Store.
Worse still, Malwarebytes wrote that the developer in question had previously deployed malware to their apps, but they are still able to list their apps on Google’s main app store.
The apps are listed by the company Mobile apps Group, whose listing on Play Store includes the slogan “By using the smart app, you ensure strong and reliable Bluetooth pairing with any device”. Applications include:
- Bluetooth Auto Connect
- Driver: Bluetooth Wi-Fi, USB
- Bluetooth app sender
- Mobile transfer: smart switch
Nathan Collier, a malware intelligence analyst for Malwarebytes, wrote that when users first install Bluetooth Auto Connect, there is a delay of several days before it starts opening phishing sites in Chromium. These sites run in the background even if a device is locked and open automatically when users unlock their phone. These phishing sites would include porn sites that lead to phishing pages or other sites that spam users with messages that they have been hacked and need to update.
The mobile app group has been cited twice in the past for listing apps infected with malware, according to Collier. Other cybersecurity researchers blogged about an earlier version of Bluetooth Auto Connect. Two days after this blog post and subsequent delisting, the developers released a 3.0 version on Google Play, which means that these malicious developers didn’t even receive a trial period. The developers released the current version 5.7 of the app last December, which means the malware has potentially been around for nearly a year.
Google did not immediately respond to Gizmodo’s request for comment. Google has a stated policy against any app that includes malware of any type, and the system claims that it notifies users if it detects a violation of its malware policy.
Collier wrote that the first log entry of the malware called Android/Trojan.HiddenAds.TBGTHB is recorded a few hours after installing the app, although the time before installing it varies between different apps.
There have been numerous other high-profile malware app scandals on Google Play, including a Muslim prayer app that harvested users’ phone numbers. Last year, Google kicked off nine more apps from its store after researchers found they were using malware to steal users’ Facebook credentials.
Delaying malware infiltration is a common way for bad actors to circumvent App Store filters, Collier wrote. It’s still unclear why Google was unable to detect these apps, but another recent report by cybersecurity firm Bitdefender noted that there were 35 other malicious apps listed on Play Store that amassed more than 2 million total downloads. This August report noted that once these apps are installed, they rename themselves and change their app icon in order to confuse users and avoid detection. An even older July report from Dr. Web indicated that a few dozen other malware-infected apps were modifications of known malware.
Google Play Protect is the company’s built-in malware defense program and, according to its own page, it scans more than 100 billion apps on Google Play every day. But researchers have previously noted that it so consistently fails to catch malware, ranking last among other security apps in 2021 tests by computer security researchers AV Test.