Google said it blocked over 2.36 million policy-violating Android apps from being published to the Google Play app marketplace in 2024 and banned more than 158,000 bad developer accounts that attempted to publish such harmful apps.
The tech giant also noted it prevented 1.3 million apps from getting excessive or unnecessary access to sensitive user data during the time period by working with third-party app developers.
Furthermore, Google Play Protect, a security feature that’s enabled by default on Android devices to flag novel threats, identified 13 million new malicious apps from outside of the official app store.
“As a result of partnering closely with developers, over 91% of app installs on the Google Play Store now use the latest protections of Android 13 or newer,” Bethel Otuteye and Khawaja Shams from the Android Security and Privacy Team, and Ron Aquino from Google Play Trust and Safety said.
In comparison, the company blocked 1.43 million and 2.28 million risky apps from being published to the Play Store in 2022 and 2023, respectively.
Google also said the developers’ use of the Play Integrity API – which allows them to check if their apps have been maliciously modified or are running in potentially compromised environments – has seen a 80% lower usage of their apps from unverified and untrusted sources on average.
In addition, the company’s efforts to automatically block sideloading of potentially unsafe apps in markets like Brazil, Hong Kong, India, Kenya, Nigeria, Philippines, Singapore, South Africa, Thailand, and Vietnam has secured 10 million devices from no less than 36 million risky installation attempts, spanning over 200,000 unique apps.
Complementing these initiatives, Google this week announced it’s introducing a new “Verified” badge for consumer-facing VPN apps that have successfully completed a Mobile Application Security Assessment (MASA) audit. Google originally unveiled this plan in November 2023.
“This new badge is designed to highlight apps that prioritize user privacy and safety, help users make more informed choices about the VPN apps they use, and build confidence in the apps they ultimately download,” it said.
If anything, the findings show that protecting the Android and Google Play ecosystem is a continuous effort, as new malware strains continue to find their way to mobile devices.
The most recent example is Tria Stealer, which has been found primarily targeting Android users in Malaysia and Brunei. The campaign is believed to be ongoing since at least March 2024.
Distributed via personal and group chats in Telegram and WhatsApp in the form of APK files, the malicious apps request sensitive permissions that enable the harvesting of a wide range of data from apps like Gmail, Google Messages, Microsoft Outlook, Samsung Messages, WhatsApp, WhatsApp Business, and Yahoo! Mail.
There is some evidence to suggest that the malware is the work of an Indonesian-speaking threat actor, owing to the presence of artifacts written in the Indonesian language and the naming convention of the Telegram bots used for hosting command-and-control (C2) servers.
“Tria Stealer collects victims’ SMS data, tracks call logs, messages (for example, from WhatsApp and WhatsApp Business), and email data (for example, Gmail and Outlook mailboxes),” Kaspersky said. “Tria Stealer exfiltrates the data by sending it to various Telegram bots using the Telegram API for communication.”
The stolen information is then used to hijack personal messaging accounts such as WhatsApp and Telegram, and impersonate victims in an effort to request money transfers from their contacts to bank accounts under their control, and further perpetuate the scam by distributing the malware-laced APK file to all their family and friends.
The fact that Tria Stealer is also able to extract SMS messages indicates that the operators could also use the malware to steal one-time passwords (OTPs), potentially granting them access to various online services, including banking accounts.
Kaspersky said the campaign exhibits some similarities with another activity cluster that distributed a piece of malware dubbed UdangaSteal in 2023 and early 2024 targeting Indonesian and Indian victims using wedding invitation, package delivery, and customer support lures. However, there is no evidence at this stage to tie the two malware families to the same threat actor.
