Security researchers have unraveled a mega-scale threat campaign targeting the Google Play Store.
This includes up to 60 million installs of numerous malicious apps that entered the Play Store and managed to bypass all security protections in place. The Play Store is a common target by threat actors, similar to how they like to target Gmail and Chrome. It’s also a major candidate for criminals searching to upload the malicious lines of coding. This means they can go beyond the existing safeguards in place.
Google has done a great job at making sure many don’t go on evading users' devices but there are many times where even the experts aren’t blowing the whistle at the right moment. The issue is more linked to cybercriminals not being great at adapting and evolving different methods when payloads hit healthy profits. Researchers from Bitdefender highlighted a group of bad actors that are carrying out large-scale campaigns where at least 331 campaigns were launched and they ended up getting downloaded more than 60M times from apps including, Five in a Row, AquaTracker, Massm BMI, ShapeUp, ClickSave Downloader, Body Scale, Daily Spending, Cache Sweep TEL, TranslateScan and many more. The full list of associated package names is provided below. While researchers attempted to include their names/URLs, most may be missing from the Play Store, likely because they have been removed. If you have any of these apps installed, it's best to uninstall them immediately.
To be more accurate, it’s the most active campaign and the latest malware platforms found their way into the Play Store where they went live last week. After the investigations ended, 15 apps were still found for downloads on the Google Play Store. The apps bypassed so many security restrictions and began activities even if they weren’t running in the background and without the permissions needed.
The result is spam for the victim with back-to-back fullscreen ads and serving user interface features to provide phishing attacks. Hundreds of those could give rise to credential theft. This appears as the latest threat campaign to take over the Play Store. The report from experts shared how all highlighted apps were removed at the time they were discovered. But it’s actually much bigger in scale than what it was perceived to be.
Dangers include criminals accessing devices belonging to direct users linked to phishing websites, not just showing them off in terms of big-screen ads. Some of these platforms could even generate phishing activities through fullscreen acts.
Users might be asked to add credentials from the Facebook platform or another online service or even through credit card information on apps or online websites. Still, we are seeing a bunch of apps continually being added to the Play Store and working to create misery without any signs of removal. They are copying the actions of utility apps such as those known for QR Code scanning, tracking expenses, and even providing health-related information.
Experts mentioned how there are several worrisome takeaways here. The app icons were hidden and it’s something that’s not possible any longer technically through the newest Android variants. Bitdefender shared how it was observing several tactics to get around such protections.
Researchers shared how the apps already come embedded with Launcher Activity that is disabled through default means. So they can abuse the startup mechanism and enable a launch. It’s another means to evade detection. So after the setup is done, the platform disables this launcher and the icon ends up vanishing. Hence, malicious developers are more likely to find bugs or abuse the app’s programming interface.
In some cases, the attackers use launchers created for Android Television as well as the platform hiding behind settings and altering the name to Google Apps like Google Voice to prevent getting detected. Lastly, the apps may begin without any kind of user interaction. It’s something else that is not designed to be technically possible through Android 13 as it shows no ads over other apps playing in the background.
Image: DIW-Aigen
Read next: Meta CEO Shares The Company’s Open AI Model Llama Hitting One Billion Downloads
This includes up to 60 million installs of numerous malicious apps that entered the Play Store and managed to bypass all security protections in place. The Play Store is a common target by threat actors, similar to how they like to target Gmail and Chrome. It’s also a major candidate for criminals searching to upload the malicious lines of coding. This means they can go beyond the existing safeguards in place.
Google has done a great job at making sure many don’t go on evading users' devices but there are many times where even the experts aren’t blowing the whistle at the right moment. The issue is more linked to cybercriminals not being great at adapting and evolving different methods when payloads hit healthy profits. Researchers from Bitdefender highlighted a group of bad actors that are carrying out large-scale campaigns where at least 331 campaigns were launched and they ended up getting downloaded more than 60M times from apps including, Five in a Row, AquaTracker, Massm BMI, ShapeUp, ClickSave Downloader, Body Scale, Daily Spending, Cache Sweep TEL, TranslateScan and many more. The full list of associated package names is provided below. While researchers attempted to include their names/URLs, most may be missing from the Play Store, likely because they have been removed. If you have any of these apps installed, it's best to uninstall them immediately.
"All of the identified apps from this report have been removed from Google Play. Android users are also automatically protected by Google Play Protect, which is on by default on Android devices with Google Play Services.” - A Google spokesperson explained.
To be more accurate, it’s the most active campaign and the latest malware platforms found their way into the Play Store where they went live last week. After the investigations ended, 15 apps were still found for downloads on the Google Play Store. The apps bypassed so many security restrictions and began activities even if they weren’t running in the background and without the permissions needed.
The result is spam for the victim with back-to-back fullscreen ads and serving user interface features to provide phishing attacks. Hundreds of those could give rise to credential theft. This appears as the latest threat campaign to take over the Play Store. The report from experts shared how all highlighted apps were removed at the time they were discovered. But it’s actually much bigger in scale than what it was perceived to be.
Dangers include criminals accessing devices belonging to direct users linked to phishing websites, not just showing them off in terms of big-screen ads. Some of these platforms could even generate phishing activities through fullscreen acts.
Users might be asked to add credentials from the Facebook platform or another online service or even through credit card information on apps or online websites. Still, we are seeing a bunch of apps continually being added to the Play Store and working to create misery without any signs of removal. They are copying the actions of utility apps such as those known for QR Code scanning, tracking expenses, and even providing health-related information.
Experts mentioned how there are several worrisome takeaways here. The app icons were hidden and it’s something that’s not possible any longer technically through the newest Android variants. Bitdefender shared how it was observing several tactics to get around such protections.
Researchers shared how the apps already come embedded with Launcher Activity that is disabled through default means. So they can abuse the startup mechanism and enable a launch. It’s another means to evade detection. So after the setup is done, the platform disables this launcher and the icon ends up vanishing. Hence, malicious developers are more likely to find bugs or abuse the app’s programming interface.
In some cases, the attackers use launchers created for Android Television as well as the platform hiding behind settings and altering the name to Google Apps like Google Voice to prevent getting detected. Lastly, the apps may begin without any kind of user interaction. It’s something else that is not designed to be technically possible through Android 13 as it shows no ads over other apps playing in the background.
| Packages | |
|---|---|
| 0 | roshag.chat.enhance.iushx |
| 1 | com.apples.qrcreator |
| 2 | com.ion.code.sentry |
| 3 | com.cannon.physiqueprofiler |
| 4 | com.trashbuster.cleanhyper |
| 5 | com.nmyfun.hpaint |
| 6 | religion.divine.calendar.app |
| 7 | com.oasis.drinktracker.healthapp |
| 8 | com.rabbit.glucosediary |
| 9 | com.tartar.light.lead |
| 10 | com.codeNow.bgrpictotextapp |
| 11 | com.letters.bodyfast |
| 12 | health.care.heart.entry |
| 13 | com.volleyball.sipsmart |
| 14 | com.note.nook.nootbook |
| 15 | com.note.log.notebook.text.trek |
| 16 | com.dsgdddfsdgf.dvsdcs |
| 17 | com.tome.answer.book.forandroid |
| 18 | com.twinkle.note.halfwaytool |
| 19 | com.bp.navigator.bloodpressure.application |
| 20 | poaed.virtual.entity.tavbu |
| 21 | com.everycount.recordexpenses |
| 22 | com.putt.qrhunter |
| 23 | com.spiders.turbopdf |
| 24 | com.befbefsd.syfbfhgggg.ntevboka |
| 25 | com.fitcalc.healthcare.bmi.fitbmi |
| 26 | com.tomatoes.qrafter |
| 27 | com.eareye.armhk.ftt |
| 28 | com.wave.watcher.health.recorder |
| 29 | com.skii.dlf |
| 30 | com.flashlightscanner.creator |
| 31 | com.dragon.scribe.notebook.myth |
| 32 | datetime.calculate.time.wise |
| 33 | com.starce.pulsemap |
| 34 | com.antac.spritzy |
| 35 | com.glove.slimbmi |
| 36 | com.leadlife.knowledge.ark |
| 37 | com.care.olsk |
| 38 | com.magnify.sharp.sight |
| 39 | com.donkey.healthline |
| 40 | com.Qezxc.Tdfdz.gddp |
| 41 | com.bloody.buddy.bp.blood |
| 42 | com.sigture.femplce.cell.cdcd |
| 43 | com.ufuopo.magic.frame |
| 44 | com.wallpapersave.beautifulscene |
| 45 | com.scubam.notes |
| 46 | com.untang.cardio.care |
| 47 | com.privatenumber.textphotos.calculator |
| 48 | com.cartoon.wallpaper.adorable.setup |
| 49 | com.potato.journeyquill |
| 50 | com.imageosis.sourcephrame |
| 51 | com.apparatus.festtrack |
| 52 | yaiss.date.master.suiue |
| 53 | com.pets.quickscan |
| 54 | com.epicwalls.wallpaper.app |
| 55 | com.magata.charger |
| 56 | com.dilige.doc |
| 57 | com.wallart.craft.fusion.canvas |
| 58 | com.bee.beat.oplayer |
| 59 | com.crayon.shapeup |
| 60 | wall.paper.palette.paperpalette |
| 61 | com.pressurepoint.bloodpressure.android |
| 62 | com.black.myth.wukong.journal |
| 63 | com.vedioscene.cutmaker |
| 64 | date.time.span.comput |
| 65 | com.image.frame.construction |
| 66 | com.moreagent.beyour.wonderf |
| 67 | com.animal.codeking |
| 68 | com.lokrrclk.maicahaway.bcash |
| 69 | com.find.myphone.out |
| 70 | press.tracker.record.app |
| 71 | com.zoofv.Gwsa.quote |
| 72 | com.dochecklist.remarkthings |
| 73 | com.clipclipnote.notebook |
| 74 | com.school.paintflow |
| 75 | com.docuflow.pdfinsight.pulse.nexus.adept |
| 76 | com.writer.dripdropduo |
| 77 | com.bookAnswers.Answersmaster |
| 78 | com.gluco.log.blood.health |
| 79 | com.beautifuland.stunningwall |
| 80 | ryouab.pixlayer.wallpaper.giestc |
| 81 | ygsap.electro.magnetic.field.scanner |
| 82 | com.support.codeblitz |
| 83 | com.snail.vitaltrace |
| 84 | com.efldi.bdbhe |
| 85 | religious.celebration.guide.app |
| 86 | com.answer.tome.book |
| 87 | beauty.wallpaper.gallery.app |
| 88 | com.turan.antitheft.note |
| 89 | com.sanit.notekeeper.master |
| 90 | com.whimsywriter.dailynote |
| 91 | com.friend.sparkdiary |
| 92 | com.scannertranslate.useful.nloader |
| 93 | text.score.count.helper |
| 94 | com.trandsz.gfdweee.tagtag.discsion |
| 95 | com.note.lively.notebook.android |
| 96 | com.logdrink.water.wave.android |
| 97 | com.snorkel.hydro.habit |
| 98 | com.prose.inkslinger |
| 99 | prolimatofa.egg.spiral.dash |
| 100 | com.Capcap.mamp.totoy |
| 101 | com.gulp.minder.andorid.application |
| 102 | com.zoo.frarefew.mkey |
| 103 | com.todaynote.everydaynote |
| 104 | com.vvkdio.sout.boxo |
| 105 | com.emojimaker.enjoyemoji |
| 106 | com.wisdom.life.answer.book |
| 107 | com.filefetcher.filesavedownloder |
| 108 | faithful.holidays.finder.app |
| 109 | qrocr.code.scan.ease |
| 110 | com.ladybug.sumatrapdf |
| 111 | com.building.tagreader |
| 112 | com.qusad.queszh.prpcipcunm.rews |
| 113 | com.circlestyle.easybrowser |
| 114 | com.plusrecord.bp.recorder |
| 115 | com.taste.scanhub |
| 116 | com.cobweb.torchup |
| 117 | com.filebrowser.easytouser |
| 118 | com.fog.flashseeker |
| 119 | virtual.nexus.aichat.app |
| 120 | com.framefy.photoart |
| 121 | com.legac.sipsync |
| 122 | com.dynasty.qrique |
| 123 | com.lance.scan.hawk |
| 124 | ugiso.spiritual.days.yeisf |
| 125 | offline.wall.art.paper |
| 126 | com.riptide.torch |
| 127 | com.breadof.whnowit.werdz |
| 128 | com.shape.flipbook |
| 129 | com.gree.cryyonmyeow.gange |
| 130 | com.drfq.opmnlight.find |
| 131 | com.swift.glide.stream.pilot |
| 132 | quick.qrqr.code.scan |
| 133 | com.badr.dreamstatus |
| 134 | com.easycircle.online.browser |
| 135 | com.trtytrrty.tyhbhn.qwewqdfs.gtgthgrt.uert |
| 136 | com.dinosaurs.bplog |
| 137 | com.gvvfzf.wdsd |
| 138 | com.hydra.hub.scribe.h2odrink |
| 139 | com.schdck.ctct.bid |
| 140 | tsaid.stealth.apps.finder |
| 141 | connection.wifi.link.app |
| 142 | clear.text.ocr.recognize |
| 143 | com.moontrack.herbrowser |
| 144 | com.pulse.journalapp.bpussre |
| 145 | com.eleven.netswift |
| 146 | com.spectrum.note.book |
| 147 | com.codhf.peyf.efo |
| 148 | com.qritranslate.scanertext |
| 149 | com.chakok.textbkspird.wsszook |
| 150 | com.quickmark.qrscanmachine |
| 151 | com.amused.lightup |
| 152 | com.ansella.photoeditor.frame |
| 153 | com.fftreds.ghgfgdfdk.dtdt.stt |
| 154 | com.phopaper.wallto |
| 155 | com.drum.beamblitz |
| 156 | com.health.pressure.pilot |
| 157 | com.dinner.lightbringer |
| 158 | com.vmraqcu.pld |
| 159 | com.snap.visionmate.app |
| 160 | com.prison.grimace |
| 161 | com.feeling.shapetrack |
| 162 | com.bp.circulation.check.health |
| 163 | com.bookbag.pencilt.erer |
| 164 | com.needle.pixform |
| 165 | com.eatrg.Rise.Motivate |
| 166 | com.industry.perfectbmi |
| 167 | twisty.egg.race.run |
| 168 | com.btfdf.Nmfd.Rvsd.sdsa |
| 169 | com.grandfather.waterwhiz |
| 170 | com.docu.pdftext.flow.draft.piolt |
| 171 | com.tree.year |
| 172 | com.erfedfvgf.azxss.erewd.werfvbs |
| 173 | com.prodigy.aurora.lume |
| 174 | com.xasasaf.cdsv |
| 175 | com.truck.xscan |
| 176 | com.todogalaxy.list |
| 177 | com.clear.sound.voice.recorder.management |
| 178 | vgssea.code.capture.deoig |
| 179 | com.wilderness.hydr8 |
| 180 | com.sugar.scanmaster |
| 181 | com.text.word.lexicount |
| 182 | com.loader.downloader.suitable |
| 183 | com.toolsquik.schetchwat |
| 184 | com.behavior.wellnessscope |
| 185 | com.bbb.eewrew |
| 186 | com.bysedr.poshk.tutu |
| 187 | com.drink.aqua.tracker |
| 188 | com.thirstquest.drink.health |
| 189 | com.writer.drinkup |
| 190 | com.textdocusheet.pdfreader |
| 191 | com.hujkr.Gscas.Qrmanager.maker |
| 192 | com.bmilog.healthrecorder.bmi |
| 193 | com.phrameselect.nextlevel |
| 194 | com.pennycharge.accountup |
| 195 | com.spectrum.notebook.dairy.book |
| 196 | com.KCDc.cmkd.sGAB |
| 197 | com.territory.blink |
| 198 | com.qewqwer.fdsasdsas.zswsdedeoko.jnm |
| 199 | com.nicebrowser.verifyartical |
| 200 | com.comfort.flashscan |
| 201 | com.wrdup.noterecord.upnote |
| 202 | com.equin.fury.light |
| 203 | com.vcdfcx.vbghgfgy.tygdasz.daydu |
| 204 | com.powder.shapesensei |
| 205 | junk.clean.file.purge |
| 206 | com.expense.visual.track |
| 207 | com.slobb.page.pilot |
| 208 | com.cuddleframe.cutewallpaper |
| 209 | com.qrfgsd.hjk.fusion |
| 210 | text.word.quantify.count |
| 211 | com.gulp.minder.drink.health |
| 212 | com.cleanpro.device.performance.cleaner |
| 213 | com.defea.scan.eagle |
| 214 | com.boys.vitalflow |
| 215 | com.askoknook.wokfowt.fvsgsbm |
| 216 | com.onto.drinksmart |
| 217 | com.tkdodownloader.onlyfacebook |
| 218 | com.mice.fastpdf |
| 219 | com.tendency.waterlog |
| 220 | com.aivou.peyfellti.treffas |
| 221 | cardio.heart.rate.log |
| 222 | com.noneedto.waitbrowser |
| 223 | com.blood.pres.xhur |
| 224 | com.cup.application.whidpers.sips |
| 225 | com.dfcs.erwan.beat |
| 226 | qrcode.ease.identify.app |
| 227 | com.quarter.pdfpro |
| 228 | com.dusahif.coaskjgf |
| 229 | com.lemonlog.tool |
| 230 | com.monkey.bodyguide |
| 231 | com.wave.frink.wavelog.sagerak |
| 232 | com.wetmeter.recorder.drink.water.health |
| 233 | com.robust.drink |
| 234 | com.uylm.goatm |
| 235 | com.wsesas.fgfctre.opomna |
| 236 | com.drinkhealth.water.wink |
| 237 | com.vughgnnfg.fdfdgsfgfs.edxssx.adsdfjk |
| 238 | com.afterthought.thirsttime |
| 239 | vision.scan.ocrqr.quickly |
| 240 | com.horn.nitropdf |
| 241 | com.utfgop.Sagyuh.noteBokk.welkwe |
| 242 | com.emotionalquotos.fightingwordsbox |
| 243 | com.ponder.notebook.remindbook |
| 244 | com.Redsa.ftrds.zxcv.tger |
| 245 | com.saveall.fbloader.downloader |
| 246 | com.photo.yellowclolor.frame |
| 247 | com.clpclp.trefinder |
| 248 | com.hdh.tewtwe |
| 249 | com.qrscan.texttranslate |
| 250 | com.oeredrt.charcha.boardky.ftsasauop |
| 251 | com.sullen.glide.text |
| 252 | com.conamoroll.wallpaper.com |
| 253 | com.findyour.phone.fast |
| 254 | com.stride.despise |
| 255 | com.soulpages.wanderanswer |
| 256 | com.underwatybop.ffdftakepiece.drik |
| 257 | wallpaper.wall.scape.app |
| 258 | com.zczcf.gygyu.ffdd.ruer |
| 259 | com.stridecounter.stepcalculation |
| 260 | com.shock.glowup |
| 261 | com.at.scribe.sphere |
| 262 | com.pophnbn.gfghghaa.libprrrty |
| 263 | com.deva.insulineer |
| 264 | com.fairies.codecatcher |
| 265 | com.ulikerecoder.swifttrack.tmsv |
| 266 | com.trewreeew.kjhgfpppp.ftghbgfdsa.fdsa |
| 267 | com.bnmbvdscc.vgfrtgvttt.asawtart.waterokp |
| 268 | com.overbite.ink.bender |
| 269 | com.xxdffvc.Fcszrt.okasnm |
| 270 | com.pennyrecorder.budget |
| 271 | com.framep.beauttool |
| 272 | com.ndgf.werew |
| 273 | com.lively.note.book |
| 274 | filehive.junk.cleaner.app |
| 275 | wallpaper.pixel.stacker.app |
| 276 | faith.dates.festival.app |
| 277 | com.luxurious.scan.blitz |
| 278 | com.Video.Maker.VideoEditor |
| 279 | com.Disate.sentttanzc.dbhnmok.ftbbftas |
| 280 | ygvas.scanqr.master.udybc |
| 281 | com.pdfsaver.filedownload |
| 282 | com.press.watch.bloodpressure |
| 283 | com.ewqew.mokgfd.cbokp |
| 284 | com.abk.asoj |
| 285 | com.ring.find.phone.tool |
| 286 | com.daojer.cmdcuky |
| 287 | com.bears.pulsetrack |
| 288 | com.chairs.hydrovibe |
| 289 | com.stick.quenchlog |
| 290 | com.year.fluidfocus |
| 291 | com.thirst.quest.drink |
| 292 | com.syncheart.pulsemight |
| 293 | com.browserzheng.foundernews |
| 294 | com.cardiac.pixel.panorama |
| 295 | com.photoah.editorebrey |
| 296 | com.peso.quicknet |
| 297 | com.ground.mystory |
| 298 | generate.bliss.note.blissnote |
| 299 | com.systolic.scribe.bloodpressure |
| 300 | com.card.pixelparser |
| 301 | com.hidden.apps.disguised.spyware.detector |
| 302 | com.capture.bp.cardio.blood.health |
| 303 | artistic.wall.magic.background |
| 304 | com.bfjk.terdpo.passmake |
| 305 | com.phobi.lean.life |
| 306 | com.health.pressurepilot |
| 307 | convenient.text.count.textcount |
| 308 | com.drain.lifelog |
| 309 | com.pictureframe.magicdecloration |
| 310 | com.kitty.echopages |
| 311 | com.obsi.nrej.axle |
| 312 | com.raisetgb.ptdowngrw.uplod.crcra |
| 313 | com.jail.docuease |
| 314 | com.bp.vitalsphygmo.healthy |
| 315 | com.physical.index.bmi |
| 316 | com.bikes.pdfvault |
| 317 | com.covboe.vrsa.log |
| 318 | com.hipainpainter.pipienter |
| 319 | com.sip.psa |
| 320 | com.servant.puresip |
| 321 | com.insurance.glucopath |
| 322 | com.beautiful.dayweather |
| 323 | com.destinybook.storybook.wistom |
| 324 | com.drorowsuaz.water |
| 325 | com.handset.loctor.findphone |
| 326 | com.rake.bodyscale |
| 327 | com.cachesweep.clean |
| 328 | com.fiveinarow.nicegame |
| 329 | com.rate.massmbmi |
| 330 | com.water.note.mate.fresh.leaf |
Read next: Meta CEO Shares The Company’s Open AI Model Llama Hitting One Billion Downloads
