Google has yet to remove two apps infected with dangerous malware that are currently still available for download via the official Google Play Store.
The apps are named "Earn Real Money Gift Cards" — an app for winning gift cards by installing other apps on your phone — and "Bubble Shooter Wild Life" — a mobile game. Both apps were developed and recently uploaded on the Play Store by the same developer, named Boris Block.
The apps were first spotted by security researchers from SfyLabs, and later by the Zscaler team. Both companies said they informed Google. At the time of writing, both apps are still available on the Play Store, but they still have a low install count, with less than 5,000 downloads.
The first app is infected with the BankBot malware, while the second is a "dropper" — a type of malware used to install other malware on the instructions of a remote command-and-control server.
BankBot is a mobile banking trojan that leaked online last December and has been adopted by multiple malware authors. The trojan is notorious for its ability to bypass Google security checks and making it on the Play Store.
According to Cengiz Han Sahin, co-founder of SfyLabs, this is the seventh wave of BankBot malware that made it on the official Google Play Store.
The second app includes a never-before-seen malware downloader. Both SfyLabs and Zscaler point out that this malware sample is unique.
The thing that caught their eye is how this second app — Bubble Shooter Wild Life — abuses the Android Accessibility feature.
By now, it's no secret that a large number of recently created malware strains try to trick users into granting access to the Accessibility feature. This is a popular trend in Android malware.
Until now, malware has used the Accessibility feature to mimic user taps and grant itself access to a separate admin account, which it uses to secretly take control over the user's phone.
Below is a video from ESET security researcher Lukas Stefanko showing how malware abuses the Accessibility feature to get admin rights.
One of the most recent cases where we've seen malware abusing the Accessibility feature to get admin rights is the Svpeng banking trojan that was recently put up for sale on an underground hacking forum.
What's different with the "Bubble Shooter Wild Life" app is that the malware contained inside uses the Accessibility feature to enable the "Installation from Unknown Sources" option and install another app.
"It is definitely a game changer," Sahin told Bleeping Computer about this new wrinkle in the way crooks abused the Accessibility feature.
Both SfyLabs and Zscaler researchers point out in separate reports that the malware's operation often fails at various stages, different in each analysis. This led both research teams to believe that this malware is currently still under development.
Nonetheless, the technique is now in the public domain and will no doubt be copied by other Android malware devs and added to their malware arsenals.
If you're curious to know how both these apps made it on the Play Store, the answer is simple and involves delaying any malicious operations at a later date. Both malware strains wait 20 minutes before executing any malicious actions, by which time, Google has finished its security scans and approved the app to be listed on its Play Store. This very same trick has been used for more than a year by a plethora of malware strains and it's worrisome that Google has not found a way to counteract it.