Update, March 20, 2025: This story, originally published March 18, has been updated with a statement from Google regarding the Google Play apps attack campaign.
When it comes to cybersecurity, bigger is most definitely not better. Whether you are talking about 427 million dangerous emails, one billion Bluetooth chips with hidden commands or infostealer malware compromising 26 million devices, those numbers are nothing if not scary. Now, security researchers have uncovered another big number: 60 million dangerous downloads of hundreds of malicious apps that have made it into the Google Play Store and bypassed security protections. Here’s what you need to know.
ForbesYou Have 7 Days To Act Following Gmail Lockout Hack Attacks, Google SaysBy Davey Winder
Large-Scale Google Play App Threat Campaign Confirmed
Just as other Google products and services, such as Gmail and Chrome, are often targeted by attackers, the Google Play Store is a prime candidate for the attention of criminals looking to upload malicious apps that bypass existing security measures. Google, to be fair, does a great job in keeping most of these out of harm’s way and those that do evade the security protections in place are generally quickly removed after discovery by Google itself or after researchers blow the alert whistle. The trouble is that cybercriminals are very good at evolving and adapting their methods when the payload is a healthy profit.
Researchers at Bitdefender have identified just such a group of criminals, or rather the campaign that they are executing, in a large-scale attack that has deployed at least 331 apps that have been downloaded in excess of 60 million times. “To be clear,” Bitdefender said, “this is an active campaign.” The latest malware apps that found their way into the Google Play Store went live in the first week of March. “When we finished the investigation a week later,” Bitdefender warned, “15 applications were still available for download on Google Play.”
The investigated apps bypassed Android security restrictions to start activities even if they were not running in the foreground and, Bitdefender researchers warned, without the permissions that are meant to be needed to do so. The result is the spamming of the victim with continuous and fullscreen ads as well as the serving up of user interface elements to facilitate phishing attacks.
MORE FOR YOU
NSA Warning—Change Your iPhone And Android Message Settings
‘The White Lotus’ Season 3, Episode 7 Recap And Review: I’m Starting To Worry About This Show
Amouranth’s Home Invasion Underscores Targeting Of Bitcoin Holders
Hundreds Of Dangerous Google Play Apps Could Lead To Credential Theft
It would appear that the threat campaign in question was initially uncovered by researchers from the IAS Threat Lab, as reported March 5. That report resulted in the removal of all the known malicious apps from the Google Play Store at the time. Bitdefender researchers, however, said that they found the campaign to be much larger than originally thought, with dangers extending past those that would be typically observed. “Criminals have used their access to devices to direct users towards phishing websites, not just to show them annoying full-screen ads,” the researchers said. Some of the apps, the researchers continued, had the technical capability to deploy phishing attacks via fullscreen activities. “Users could be asked to enter credentials from Facebook, YouTube or other online services, or credit card information under various pretexts,” they warned.
Although the handful of apps that still remain in the Google Play Store have not been identified, Bitdefender said that many of the apps in this campaign mimicked utility apps, including QR code scanners, expense tracking applications, health-related apps and that old chestnut when it comes malicious activity, wallpaper apps.
ForbesBe Careful What You Search For—New Attack Could Cost You DearlyBy Davey Winder
Getting Around Google Play And Android Security Protections
There are a number of worrying takeaways from the Bitdefender research, not least how the attackers in question managed to hide the app icons from the launcher, something which is supposedly no longer technically possible in the latest Android versions. Bitdefender said that it observed a number of tactics being used to get around these protections.
“The app comes with the Launcher Activity disabled by default,” the researchers said, which means that by abusing the startup mechanism provided by the content provider, native code can be used to enable the launcher. This, Bitdefender said, “is likely carried out as an additional technique to evade detection.” Once setup is complete, the app simply disables the launcher and the icon vanishes, in effect. This could mean, the researchers warned, that the malicious developers “likely found a bug or are abusing the application programming interface.”
Attackers were also seen using a launcher that was designed for Android TV as well as the app hiding in settings and changing the name to a Google app such as Google Voice, all to evade detection. Finally, the apps can start without user interaction, something else that’s not meant to be technically possible in Android 13, as well as showing ads over other applications in the foreground.
ForbesGoogle Pays $11.8 Million To Hackers As Critical Security Flaws RiseBy Davey Winder
Google Play Security Protections Explained
Update, March 20, 2025: This story, originally published March 18, has been updated with a statement from Google regarding the Google Play apps attack campaign.
A Google spokesperson provided me with the following statement: "All of the identified apps from this report have been removed from Google Play. Android users are also automatically protected by Google Play Protect, which is on by default on Android devices with Google Play Services.”
I have also had a lot of conversations with Google in the past when it comes to protecting users from malicious apps. Some of the protections that Google has in place include being proactive in using both automated detection procedures as well as human oversight. Features such as Chrome’s Safe Browsing, Android’s security features, and Play Protect for the Play Store all benefit from diverse threat information and intelligence signals. Nothing, however, is ever 100% guaranteed in the world of cybersecurity, and this latest campaign is proof of that. Google Play Protect, which is on by default on Android devices with Google Play Services, helps protect users by either warning them of or blocking known malicious apps. This checks apps at the point of installation but also periodically scans your Android device to detect and remove those harmful apps.
This ongoing scanning is an essential part of the protection offered to Google Play users when you consider that while most of the apps uncovered by the Bitdefender researchers first became active in the store during the last quarter of 2024, they didn’t display any dangerous behaviors. In fact, further analysis from Bitdefender found that these apps were all benign, without any malware components contained within their code. “The malicious behavior was added afterward,” Bitdefender concluded.
ForbesNew YouTube Windows Attack Warning—Three Strikes And You’re HackedBy Davey Winder
