Malware on the Play Store is nothing new; it's the downside of having a virtually open platform for apps in the form of the Google Play Store in the first place. However, recently Google has started to crack down on applications exploiting permissions and service APIs to install malware; a notable example of this being through the prohibition on using the Accessibility services API for anything but disability aid application. Google feared that this was being used as a mechanism to mount malware; and they were correct, as the use of said API in combination with vulnerability patched as part of the September security update was previously being used to install malware, according to a new report.
The report, which comes from security software vendor Trend Micro, identified various malicious apps that were using this method; such as an app called "Smart AppLocker". The firm claims this app had over 500,000 installs and used toast overlays to display a fake progress bar for an app which purports to restrict other apps from running without the user inputting a PIN. On first use, the app reports that it requires Accessibility permissions to operate. When these permissions are granted, a full-screen Toast notification is used to cloak the actual screen contents; a highly risky and worrying proposition from a security perspective.
If you thought it was already bad enough, it gets worse; as the screen contents are cloaked, the app enables installation of apps from third-party sources, force prevents security apps from functioning, downloads and installs a second APK, and grants that app accessibility permissions; then allowing it to infect the remained of the phone. While said apps have been removed from the Play Store, the security vulnerabilities are still present across hundreds of thousands of devices, worryingly. While there are criticisms of Google's disallowing of the use of the Accessibility Services API for other purposes, we're glad that the move will help to curb schemes like this.
What do you guys think? Are you glad new measures will keep you safer, or do you prefer the flexibility the Accessibility Services API enabled? Let us know in the comments, or be sure to post over in the forums for your thoughts.