In the span of only four months, four large Android malware families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps, according to ThreatFabric research.
A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques.
The small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions. Permissions such as Accessibility Service, which in previous campaigns was one of the core tactics abused to automate the installation process of Android banking trojans via dropper apps in Google Play, ThreatFabric says.
John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, California-based digital IT and security operations company, explains, "Attackers will always seek to undermine the ecosystem where customers are at. Mobile apps are a logical place for attackers to focus on now that so much of our lives (including economic) are on our smartphones. There is only so much protection you can have when app stores are inherently reactive in detecting abusive apps. The same benefit application developers have in choosing the Android ecosystem are the same benefits criminals are going to use."
Casey Ellis, Founder and CTO at Bugcrowd, a San Francisco, California-based crowdsourced cybersecurity platform, says,
"Google could increase the rewards around theft of sensitive data in the Google Play bug bounty program, and include language to focus the white-hat security research community on searching for, discovering, and reporting trojan activity in the store. This is something that happens as a natural byproduct of running a bug bounty program, however, given the increase in attacker activity, it's definitely a candidate for deliberate focus."