Meanwhile, Android malware writers have been capitalizing on interest in the forthcoming "Plants vs. Zombies 2" game from PopCap Studios, which to date has only seen a "soft release" in Australia and New Zealand. Despite that fact, as of Monday, "we discovered no less than seven [related threats] in Google Play alone, either as a fake app download or a 'downloader' for the app itself," said Trend Micro fraud analyst Ruby Santos in a blog post. "One of them was detected to be a fake app that pushed malicious ads to the user."
[ Why is Java such a persistent security problem? Read Java Dregs Create Unappetizing Enterprise Security Problem. ]
Google has since removed all of the offending apps from Google Play and suspended the developer accounts that were used to submit the apps. "Google has been commendably quick in handling the threats found in Google Play," Santos said.
But could more be done to prevent malicious apps from appearing on Google Play in the first place? In general, Santos said, fake app download scams perpetrated via Google Play tend to promise versions of apps that aren't yet available for Android, or that require five-star ratings and reviews before they can be "played," which perpetuates the app appearing to be legitimate. Many malicious apps are also free, which appears to be designed to sidestep Google's requirement that any developer offering a paid app must first create a Google Wallet account.
Accordingly, to better crack down on developers submitting fake apps, Google could "make the Google Wallet registration compulsory for all developers wishing to release apps on Google Play," said Santos. "This can serve as identification and proof of legitimacy for legitimate developers, and also a deterrent to cybercriminals."
Security researchers also on Tuesday reported seeing the first malicious use of the "master key" vulnerability that affects all versions of Android prior to version 4.2.2. The bug can be exploited by attackers to inject malicious code into digitally signed versions of legitimate apps.
"The term 'master key' is a bit deceiving; the vulnerability, in fact, does not involve any cryptographic primitive, but instead it is all about stashing inside an Android application -- the apk file -- two versions of the same resource so to partially evade some integrity checks," said Kasperky Lab security researcher Stefano Ortolani in a blog post. "The impact is, however, prominent, since it means that an adversary is able to tamper with an apk file signed by a trusted authority, so to include a modified resource thereby replacing the genuine one."
Symantec said it's spotted two legitimate apps repackaged as malware using precisely those techniques. "We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has," read a Tuesday blog post from Symantec Security Response. "They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments."
The appointment apps, however, have been altered to disable mobile security software and take full control of any devices they infect. "An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available," Symantec said.
To be clear, the malicious versions of the legitimate apps are only available on third-party app stores located in China, and not from the official Google Play app store. But because China blocks access to Google Play, app-craving Android owners in China are stuck with third-party stores.