Every app offered by an alternative Android app marketplace redirected users to a single malicious download.
Earlier in 2017, researchers at security firm ESET came across some interesting activity on the Turkish Android app store CepKutusu.com: every time a user clicked the “Download Now” button, the link redirected them to malware. This behavior was general in nature. In other words, the malicious redirect persisted across every app offered by the marketplace.
But the malware didn’t activate instantaneously.
ESET researcher Peter Stancik clarifies this point:
“Probably to increase their chances to stay under the radar longer, they introduced a seven-day window of not serving malware after a malicious download. In practice, after the user downloads the infected app, a cookie is set to prevent the malicious system from prevailing, leading to the user being served clean links for the next seven days. After this period passes, the user gets redirected to the malware once they try to download any application from the store.”
Regardless of whatever they thought they were installing, every program “downloaded” by users resolved into an installer of Adobe Flash Player for Android.
This isn’t the first time attackers have pushed out threats masquerading as multimedia software, freeware which Adobe announced it intends to pronounce dead in 2020.
Even now, many web browsers disable Flash by default. Android OS hasn’t used the software since 2012, thereby rendering any app claiming to be Adobe Flash Player for the mobile platform a fake.
Ultimately, the malicious download pushed out by CepKutusu.com activates a banking trojan capable of installing other apps, displaying fake activity, and (like other banking malware) intercepting SMS messages to bypass 2-step verification (2SV).
It’s unclear exactly what’s going on here. ESET researcher Lukáš Štefanko thinks CepKutusu could be a rogue app store designed specifically to push out malware. He also thinks it could be a victim of a malicious insider or an external attacker. Whoever’s behind it, Štefanko believes they didn’t think things through:
“As for the impact, what we saw in this particular case was most probably a test. The crooks misused their control of the app store in the simplest manner. Replacing the links to all apps with a link to a single malicious app requires virtually no effort – but it also gives the store’s customers a fair chance to detect the scam. If you got lured into downloading a popular game and ended up with Flash Player instead … I think you’d uninstall it straight away and report the issue, right? This might explain why we have seen only a few hundred infections.”
After reporting the issue to the head of CepKutusu, the malicious activity ceased. That’s not to say there aren’t other app stores out there pushing malicious downloads, however.
Fortunately, it’s not difficult for Android users to protect against behavior like that which CepKutusu exhibited. They can eliminate a great deal of security risk by downloading apps only from trusted developers on Google’s Play Store. For added protection, they should install an anti-virus solution on their devices and NEVER, EVER agree to download Adobe Flash Player on their Android phones.
Granted, many app stores are a risk, but there are some very good alternatives, like F-Droid which is open source, and closely regulated. Also, Android Police's Apk. Mirror is another. XDA Developers have some outstanding apps for those that playstore typically bans, because they can affect the performance of other apps, like adblockers for instance.
But, for those who can NOT access PlayStore, they need to be extra careful. So in those cases, they could download the apk. File and then upload it to (https://Virustotal.com )for testing by 62 separate
AV vendor's besides having a dedicated AV App on their phone. Which Sophos has a great mobile app, free and no ads. Tons of features too. With 100% detection from independent labs testing.