Oh, look: More malware in the Google Play store

in brief A quartet of malware-laden Android apps from a single developer have been caught with malicious code more than once, yet the infected apps remain on Google Play and have collectively been downloaded more than one million times. 

The apps come from developer Mobile apps Group, and are infected with the Trojan known as HiddenAds, said security shop Malwarebytes. It analyzed one of Mobile apps Group's products, Bluetooth Auto Connect, which ostensibly does what its name suggests but also much more. 

A run of over ten months with malicious code on Google Play?  Perhaps it's time to say three strikes and you're out to Mobile apps Group

According to Malwarebytes, once installed the app waits for a few days to start behaving maliciously. Once it takes action, the app begins opening phishing sites in Chrome that range from harmless pay-per-click spam, to sites telling users to download updates, or take action because their device has been infected. 

"As a result, unlocking your phone after several hours means closing multiple tabs," Malwarebytes' Nathan Collier said. 

Interestingly, the malware in Mobile apps Group's .APKs was removed twice – in January 2021 and again the next month – when the developer uploaded clean versions of Bluetooth Auto Connect before adding the malware back in a future update. 

Collier believes that the developer was likely caught by Google, leading to the clean uploads. Despite that, he notes that the last clean version was published on October 21, 2021, with a new malware-infested version was added to Google Play in December of last year.

"Now on version 5.7, that malicious code remains to this date.  A run of over ten months with malicious code on Google Play.  Perhaps it's time to say three strikes and you're out to Mobile apps Group," Collier said. 

Google Play has a history of hosting malicious apps, with perhaps one of the most egregious cases coming to light this past July when 60 apps installed by more than 3.3 million users were taken down due to malware.

This isn't even the first time the HiddenAds Trojan was found on Google Play: It was spotted on the store in 2020, while in 2021 a popular barcode scanning app installed on over 10 million devices was updated to add HiddenAds (and also researched by Collier). 

Google has also been accused of failing to police malware pre-loaded onto cheap Android devices, which more than 50 advocacy groups called the company out for in 2020. 

Software supply chain attack hits US news media

Proofpoint Threat Research is warning that more than 250 local and regional US newspaper websites have been accessing and serving malicious code to readers following a software supply chain attack.

• Google stops enforcing Play store payment rules in India
• Windows Subsystem for Android declared ready for prime time
• Russia's Facebook-like VK removed from Apple App Store
• TikTok faces $29m fine for 'failing to protect UK kids' privacy'

The group responsible is believed to be TA569, or SocGholish, Proofpoint said in a Twitter thread. The group reportedly compromised an unnamed media company that serves JavaScript ads and videos to news sites across the country "by modifying the codebase of this otherwise benign JS." 

Proofpoint has tracked TA569 for several years, and in 2020 warned that it was performing similar attacks via HTML injections and CMS compromises. According to Proofpoint, the end goal is an infection with SocGholish malware, which masquerades as an update file for Firefox and other web browsers.

Only the infected media companies serving the ads have the real tally showing how widespread the damage is, Proofpoint said, adding that compromised sites were found serving Boston, New York, Chicago, Washington, DC and other metro areas.

Proofpoint said TA569 regularly removes and adds new malicious code, "therefore the presence of the payload and malicious content can vary from hour to hour," making this one hard to detect, too.

Nearly half of US government employees use out-of-date mobile devices

Just under half the mobile devices used by US civil servants at all levels of government are running out-of-date OSes, according to a report examining telemetry from more than 200 million devices.

According to security firm Lookout, this includes US federal, state and local employees using outdated versions of Android and iOS on their devices, with far worse numbers reported for Android.

Ten months after the release of Android 12, only 67 percent of federal devices and 54 percent of state/local devices were running the up to date version. Android 11 was on roughly 15 percent of devices at all government levels, while more than 10 percent of state and local devices were still running Android 9. 

The only large group of iOS devices not running iOS 15 (the newest version during the data period) were state and local devices, around a quarter of which were still running iOS 14 ten months after the iOS 15 release.

But cybercriminals bent on accessing government devices are turning away from malware and toward simple credential harvesting, meaning those outdated OSes might not be to blame for threat actors gaining a foothold in US government agencies. 

Around 50 percent of phishing attacks on government employees attempted to steal credentials, up from around a third the year prior, Lookout said. One bit of good news from the report is that government employees appear to be learning their lesson from being phished.

"Well over 50 percent of federal, state, and local employees who received a notification that they had clicked on a phishing link did not click on a subsequent mobile phishing link." ®