Hackers used a backdoor in Google Play for years to steal sensitive data. Researchers from security firm Kaspersky Labs published these results.

Kaspersky’s research team discovered at least eight Google Play apps with backdoors dating back to 2018. Based on archive research, the researchers believe that malicious apps from the same hacking group have been on Google Play since 2016.

Google removed recent versions of the malware shortly after the security firm reported them. Third-party applications have also hosted the backdoor apps, and these remain available.

Google Play’s security measures

The hackers responsible for the backdoor used various techniques to bypass Google’s security checks. One method was to submit a clean version of an app initially, and only adding the backdoor after Google accepted the application. Another approach was to require little or, in some cases, no permissions during installation, and to ask for further permissions later using code hidden in executable files. For example, one of the more recent apps posed as a browser cleaner.

After the backdoor was activated, data about the hardware model, the Android version and the installed apps were registered. Based on that information, the attackers could use the infected applications to download and execute malicious payloads. These payloads then collected locations, call logs, contacts, text messages and other sensitive information.

OceanLotus

Command-and and control domains were already registered in 2015, which means that these malicious applications may have been active before 2016. Code in the malware and command servers partly overlaps with code from a known hacking group called OceanLotus. Kaspersky researchers suspect OceanLotus is behind the attacks. The researchers state that the group mainly attacks Asian governments, dissidents and journalists. Moreover, they seem to focus in particular on targets that go against the interests of Vietnam. The names of applications and strings are all written in Vietnamese.

Last month, backdoors were discovered in over 12.000 Android applications. Researchers investigated the top 100.000 Play Store apps installed, the top 20.000 applications from third-party app stores and more than 30.000 apps pre-installed on Samsung phones.