Deflect, Deny, Defend
Yesterday we learned of Google’s plans to require developers to somehow authenticate themselves with Google so they can be identified, or else their Android apps will be blocked from installation on any Android devices. This is ostensibly to reassure people that the apps are safe and not infected with malware, though apparently they have no plans to vet what the apps actually do. That makes today’s news somewhat amusing, as it has just been discovered an app vetted by Google and posted to the Google Play Store is infected with an updated version of the Anatsa banking trojan and has been downloaded ~19 million times.
This does not detract from the horror you should feel about the possibility you’ve inadvertently installed a keylogger and SMS interceptor on your phone. It does illustrate that putting your trust in Google’s ability to police their own Play Store, let alone third party storefronts might not be the wisest decision. There were 77 apps identified by Zscaler and while they didn’t list the specific apps they do offer some technical details on how the infection works. The apps should be gone now, Google claims they discovered them before Zscaler’s report. This may certainly be true but it is good to remember that there are some very effective ways to obfuscate malware inside Android apps, and you should always be careful installing apps, even from the Play Store.