July 25, 2017 by

The Turkish Android App Store is Crawling with Malware

CepKutustu.com, a Turkish alternative app store, has been spreading malware through every app in the store. ESET researchers found when users downloaded their desired apps, the app did not appear as described. The app would be camouflaged as a Flash Player.  

The malware was found to be a remote banking trojan, Android/Spy.Banker.IE. It has the ability to intercept and send SMS messages, show illegitimate activity, and download/install apps.  

To avoid detection there was a seven-day period the malware did not appear to infect the user. A cookie was set to send victims clean links during this time period. Once the seven days were over, the users were diverted to the malware when they tried to download other applications. Apps are then no longer disguised to appear legitimate and show their true intentions.   

Researchers detected just a few hundred infected users, most likely due to users deleting the app after finding the app did not run as described.  

The first of its kind to infect an entire Android store, researchers believe this was only a test run for something even bigger. Lukáš Štefanko, a ESET malware researcher stated the following: 

“This is the first time I’ve seen an entire Android market infected like that. Within the Windows ecosystem and in browsers, this technique is known to have been used for some time. In the Android ecosystem, however, it’s really a new attack vector,” 

“[However], the crooks misused their control of the app store in the simplest manner. Replacing the links to all apps with a link to a single malicious app requires virtually no effort – but it also gives the store’s customers a fair chance to detect the scam…it was probably a test,”, he explained

Researchers detected just a few hundred infected users, most likely due to users deleting the app after finding the app did not run as described.  Although this threat was shut down when found, criminals may use another bigger and more dangerous route to attack victims. The number of victims could rise, if cyber criminals gain control of the store’s back end, eventually attaching a malware to each app in the store. Users who are lured to download a particular game, would receive the trojanized version, increasing the number of victims.  

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Fake SWIFT Service Emails Delivers Adwind Remote Access Trojan

An email phishing campaign has attempted to infect unsuspecting victims with the Adwind...

Read more arrow_forward

Tesla’s Cloud Account Hacked to Mine Cryptocurrency

Tesla’s cloud environment has been exploited by hackers who used the computational power to mine...

Read more arrow_forward

Snapchat Phishing Attack Swipes Credentials of Over 50,000 USers

Details have emerged on a phishing attack which saw hackers steal the credentials of over 50,000...

Read more arrow_forward