We have detected a phishing campaign targeting Android developers who are publishing their creations in Google Play, Android’s official app store. The from field in the email comes from “Play Developer Support”, with the subject “Update your Account Informations”, as you can see in the following screenshot:
If you click in the link provided, you are redirected to a web site that looks like Google, although obviously it isn’t:
Phishing attacks are designed to steal credentials and users’ identity, that’s why they are extremely popular targeting financial entities and all kind of payment platforms’ customers. This case, however, it is different in the sense that they are not looking to syphon the victims account, the want those credentials because they can use them to spread malware through Google Play.
The most worrisome thing is how easy it would be to automate all the process for criminals. You just need to:
Phishing attacks are designed to steal credentials and users’ identity, that’s why they are extremely popular targeting financial entities and all kind of payment platforms’ customers. This case, however, it is different in the sense that they are not looking to syphon the victims account, the want those credentials because they can use them to spread malware through Google Play.
The most worrisome thing is how easy it would be to automate all the process for criminals. You just need to:
- Build a crawler (there are a number of open source projects to help out in this task) to download information of all apps published in Google Play.
- Parse that information to obtain developers’ email addresses.
- Sent out a personalized phishing campaign, even the phishing page could be personalized for the specific developer so the “conversion rate” is better.
- As the attacker has the information from the apps published by each developer, it could be built an alert system to warn him each time a developer with a popular (millions of downloads) app has fallen in the trap.
From here, one of the easier (and unsophisticated) attacks would be to publish malicious apps using that account. Imagine that someone gets to steal the developer credentials of Candy Crush and publish Candy Crush 2 on the developer behalf…
If the attackers were skilled enough, and find a way to modify the current app of the developer without using the private key (this one cannot be obtained with the stolen credentials), they could publish an updated version of any app. In the example above, imagine that the attackers create an update of Candy Crush with a hidden Trojan in it: hundreds of millions of users would download and install it without ever suspecting they are being compromised.
3 comments
On my Samsung tablet I received an update notification for a Samsung app. This is an app that is installed with the tablet so I opened the link to Google App Store just to see if I should update it even though I never used the app, reasoning I should do my due dilligence and see if Samsung was publishing the update in order to fix a security bug or something like that. I read the app description and it did not look right. For one, there was very bad grammar in the write up. This is not the quality of writing I would expect from a major vendor like Samsung. Then I noticed the email address of the developer was a Gmail address. That seemed wrong. If it were published by Samsung, wouldn’t they put a Samsung domain address in that field? Either Samsung is getting very sloppy, they are hiring sloppy subcontractors, or they are being phished. If you are interested, I’ll send screen captures.
Hello Chris. Please, send us those screen captures to socialmedia@pandasecurity.com Thanks