For the past year, Android malware authors have been increasingly relying on a solid trick for bypassing Google's security scans and sneaking malicious apps into the official Play Store.
The trick relies on the use of a technique that's quite common in desktop-based malware, but which in the last year is also becoming popular on the Android market.
The technique involves the usage of "droppers," a term denoting a dual or multiple-stage infection process in which the first stage malware is often a simplistic threat with limited capabilities, and its main role is to gain a foothold on a device in order to download more potent threats.
Droppers are very effective on the mobile scene
But while on desktop environments droppers aren't particularly efficient, as the widespread use of antivirus software detects them and their second-stage payloads, the technique is quite effective on the mobile scene.
This is because most mobile phones don't use an antivirus, and there's no on-device threat scanner to catch the second-stage payloads.
This means that the only security measures that are in place are the security scans that Google runs before approving an app to be listed on the Play Store.
Malware authors have realized in the past years that Google has a very hard time picking up "droppers" hidden in legitimate apps. For the past years, more and more malware operations have adopted this trick of splitting their code in two —a dropper and the actual malware.
The reason is that droppers require a smaller number of permissions and exhibit limited behavior that could be classified as malicious. Furthermore, adding timers that delay the execution of any malicious code with a few hours also helps the malware remain undetected during Google's scans.
These simple tricks allow tiny pieces of malicious code to slip inside the Play Store hidden in all sorts of apps, of many categories.
Once users run the apps, which in most cases do what they advertise, the malicious code executes, the droppers asks for various permissions, and if it gets them, then it downloads a far more potent malware.