July 25, 2017 by

The Turkish Android App Store is Crawling with Malware

CepKutustu.com, a Turkish alternative app store, has been spreading malware through every app in the store. ESET researchers found when users downloaded their desired apps, the app did not appear as described. The app would be camouflaged as a Flash Player.  

The malware was found to be a remote banking trojan, Android/Spy.Banker.IE. It has the ability to intercept and send SMS messages, show illegitimate activity, and download/install apps.  

To avoid detection there was a seven-day period the malware did not appear to infect the user. A cookie was set to send victims clean links during this time period. Once the seven days were over, the users were diverted to the malware when they tried to download other applications. Apps are then no longer disguised to appear legitimate and show their true intentions.   

Researchers detected just a few hundred infected users, most likely due to users deleting the app after finding the app did not run as described.  

The first of its kind to infect an entire Android store, researchers believe this was only a test run for something even bigger. Lukáš Štefanko, a ESET malware researcher stated the following: 

“This is the first time I’ve seen an entire Android market infected like that. Within the Windows ecosystem and in browsers, this technique is known to have been used for some time. In the Android ecosystem, however, it’s really a new attack vector,” 

“[However], the crooks misused their control of the app store in the simplest manner. Replacing the links to all apps with a link to a single malicious app requires virtually no effort – but it also gives the store’s customers a fair chance to detect the scam…it was probably a test,”, he explained

Researchers detected just a few hundred infected users, most likely due to users deleting the app after finding the app did not run as described.  Although this threat was shut down when found, criminals may use another bigger and more dangerous route to attack victims. The number of victims could rise, if cyber criminals gain control of the store’s back end, eventually attaching a malware to each app in the store. Users who are lured to download a particular game, would receive the trojanized version, increasing the number of victims.  

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Security Researchers Discover Trove of 1.4 Billion Credentials

Security researchers at dark web monitoring firm 4iQ have stumbled upon a massive 41GB data file of...

Read more arrow_forward

Gartner Research: Cybersecurity Spending to Hit $96 Billion in 2018

Gartner has predicted worldwide security spending to increase by 8% in 2018 to hit a staggering $96...

Read more arrow_forward

Uber Paid 20-Year-old Florida Man to Destroy Data as ‘Bug Bounty’ Program

Uber has reportedly paid $100,000 as a pay-off to a hacker who stole the personal data of some 57...

Read more arrow_forward