With over 2.5 million apps available on Google Play Store, Google has beefed up its screening and security measures in an effort to protect users from downloading and installing malicious apps. However, despite these improvements in security checks, some bad actors have found ways to deploy malicious apps that deploy a variety of tricks to bypass these checks.
Recently, Google launched a campaign to protect keep its Play Store free from malware and apps that violated Play Store policy. Security Measures taken including daily scans, requiring of the Data Universal Number System (DUNS number) for an to be submitted on the playstore are all in a bid to protect users from malware and potentially harmful apps.
This crackdown has led to bad actors shift their approach and find ways to infect users with malware through web applications (WebAPKs). In order to achieve this, the cyber-criminals are tricking unsuspecting users into downloading infected web applications on Android so as to gain access to their sensitive information.
WebAPKs can be thought of as a “home screen shortcut” and they operate similarly to those from the play store but without too much demand on resources and battery life.
In a post, security researchers at CSIRT KNF, discovered the use of WebAPKs in a phishing campaign that duped unsuspecting users into installing malicious applications.
How does the Attack work?
The first phase of attack begins with a user receiving an SMS that contains the infected link. The simple social engineering technique would suggest to the user to update their banking app. The link contained in the message will direct the unsuspecting user to an “infected” site. As a result, the malicious application is installed in the victim’s device.
After installation, the user is presented with a fake interface that prompts for their credentials as well as complete two-factor Authentication. With this information captured, the attackers are able to effectively take over the victim’s account resulting in theft.
Despite offering advantages such as being resource-friendly, save up on storage space and better usage, WebAPKs pose serious security challenges.
This is due to the ability of a malicious app being installed on a device without triggering the typical warnings associated with installations from unknown sources while using WebAPKs.
One advantage of WebAPKs is that applications can be installed directly from the browser. This in effect allows developers to publish directly to users without necessarily passing through the Google Play Store.
Features that make WebAPKS attractive to developers also put users at risk from being targeted by malicious actors. It is thus important to know to protect yourself from such attacks.
Here is how to protect yourself against this type of attack.
- Only install apps from the official source such as Google Play Store.
- Turning on Google Play Protect from the Play Store.
- Avoid downloading and installing apps from third-party sources.
- Install reputable anti-virus and anti-malware software on your device.
- Avoid clicking on any links in the SMS received.
- Carry out due diligence on the received information.
Inspecting the contents of the received SMS is a first step in protecting yourself from phishing attacks. Here are some few giveaways to be on the look out for if you are suspicious of a given message:
- Errors and typos in the SMS. Pay attention to grammar used.
- Your bank has never contacted you in this manner before.
- The sender’s number is suspicious. Always check if it matches with your banks official number.
- Suspicious level of urgency where the attacker wants you to act quickly without taking time to consider.
- Is the message relevant to you?
- The offer is seems to good to be true.
However, these methods are not always flawless, always be skeptical and in the event of doubt contact your bank for clarification.