Password Stealing Apps With Over A Million Downloads Found On Google Play Store

[Solarquest]

Even after so many efforts by Google like launching bug bounty program and preventing apps from using Android accessibility services, malicious applications somehow manage to get into Play Store and infect people with malicious software.

The same happened once again when security researchers discovered at least 85 applications in Google Play Store that were designed to steal credentials from users of Russian-based social network VK.com and were successfully downloaded millions of times.

The most popular of all masqueraded as a gaming app with more than a million downloads. When this app was initially submitted in March 2017, it was just a gaming app without any malicious code, according to a blog post published Tuesday by Kaspersky Lab.
However, after waiting for more than seven months, the malicious actors behind the app updated it with information-stealing capabilities in October 2017.

Besides this gaming app, the Kaspersky researchers found 84 such apps on Google Play Store—most of them were uploaded to the Play Store in October 2017 and stealing credentials for VK.com users.

Other popular apps that were highly popular among users include seven apps with between 10,000 and 100,000 installations, nine with between 1,000 and 10,000 installations, and rest of all had fewer than 1,000 installations.

Here's How Cyber Criminals Steal Your Account Credentials:
...

 

[Deleted member 65228]

Android attacks are increasing constantly, I imagine they double/triple for the total per year on an annual basis. It likely stems from the increase of popularity with smart phones and the trust that people provide to Google (e.g. Google Play). People might assume that Google Play is a safe environment entirely but this is far from the truth; I think that the Apple Store will be safer than Google Play.

To have your application published onto the Google Play store, I believe it costs around $25 and to have a Google account. Initially, I was under the impression that Google manually approve each submission, but to my eye it looks like the checks aren't as effective as you'd predict considering the increase on malicious Android applications or Google Chrome extensions.

In the sense of password stealing, the likelihood is that the stolen passwords will be re-sold on to others who are looking to purchase stolen accounts. The people responsible for actually stealing the credentials probably would not be involved with actually doing bad things with the account, because this would expose them further and leave more of a trace which points back to them being responsible for it all.

The attack vectors with smart phones can be intriguing... in a negative way. Applications like Snapchat and Instagram becoming compromised can leave nasty effects if someone were to act on your profile whilst pretending to be you (for example sake).

 

[Aleeyen]

Downloading just from Play Store and thinking one will be safe is a bad idea, that's why one needs security apps in Android. Google, MS not to be trusted with security at all.