CepKutustu.com, a Turkish alternative app store, has been spreading malware through every app in the store. ESET researchers found when users downloaded their desired apps, the app did not appear as described. The app would be camouflaged as a Flash Player.
The malware was found to be a remote banking trojan, Android/Spy.Banker.IE. It has the ability to intercept and send SMS messages, show illegitimate activity, and download/install apps.
To avoid detection there was a seven-day period the malware did not appear to infect the user. A cookie was set to send victims clean links during this time period. Once the seven days were over, the users were diverted to the malware when they tried to download other applications. Apps are then no longer disguised to appear legitimate and show their true intentions.
Researchers detected just a few hundred infected users, most likely due to users deleting the app after finding the app did not run as described.
The first of its kind to infect an entire Android store, researchers believe this was only a test run for something even bigger. Lukáš Štefanko, a ESET malware researcher stated the following:
“This is the first time I’ve seen an entire Android market infected like that. Within the Windows ecosystem and in browsers, this technique is known to have been used for some time. In the Android ecosystem, however, it’s really a new attack vector,”
“[However], the crooks misused their control of the app store in the simplest manner. Replacing the links to all apps with a link to a single malicious app requires virtually no effort – but it also gives the store’s customers a fair chance to detect the scam…it was probably a test,”, he explained
Researchers detected just a few hundred infected users, most likely due to users deleting the app after finding the app did not run as described. Although this threat was shut down when found, criminals may use another bigger and more dangerous route to attack victims. The number of victims could rise, if cyber criminals gain control of the store’s back end, eventually attaching a malware to each app in the store. Users who are lured to download a particular game, would receive the trojanized version, increasing the number of victims.