ClickCease Unveiling How Android Malware Slips Onto Google Play Store

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Unveiling How Android Malware Slips Onto Google Play Store

Wajahat Raja

August 17, 2023 - TuxCare expert team

The Google Cloud security team has recently shed light on a common issue where Android malware slips onto Google Play store. This method is used by hackers to evade the review process and protection barriers of the Google Play Store. Versioning is an emerging technique used by these hackers to overcome security protections and deliver dangerous payloads onto unwary devices, possibly compromising user data.

Versioning: A Stealthy Approach


The basic approach behind versioning entails the devious manipulation of legal applicability. At first, a seemingly innocent version of an app is made available on the Google Play Store. It passes all necessary security tests. But when a covert update is sent from a remote server, the malevolent twist enters the picture. This update modifies the code of the program on the user’s smartphone, essentially enabling illicit behaviors without drawing any attention.

There are two main ways that this versioning technique works. First, by covertly including malicious payloads in updates sent to already installed programs. Second, by invoking malicious code from servers run by hackers. The latter method is known as dynamic code loading (DCL).


The DCL Approach


DCL is becoming a more effective weapon in the kits of hackers. Cybercriminals use DCL to inject their payloads onto Android devices as native, Dalvik, or JavaScript code. They can launch covert malware that can operate undetected thanks to this strategy. This enables them to avoid the static analysis checks performed by the Play Store.

Google maintains a stringent Potentially Harmful Application (PHA) screening procedure for all app submissions in an effort to combat the cat-and-mouse game that cyber criminals play with it. Although this offers a robust defense, the Dynamic Code Loading approach manages to get around some safeguards, giving leeway for malevolent activities to continue.

The policy app vetting process by Google categorically forbids apps from making unauthorized code changes, replacements, or upgrades from sources other than Google Play’s official process. Additionally, the rules categorically forbid the purchase of executable code from other sources, preserving the integrity of the Android App Store.


SharkBot – A New Variant


The Android malware infiltration version known as SharkBot is a notable example. Versioning is a tactic used by this banking malware, which was first discovered by Cleafy’s Threat Intelligence Team to covertly infect Android devices. SharkBot circumvents the Play Store’s initial tests by pretending to be legitimate applications. Once downloaded, the malware then uses the Automated Transfer Service (ATS) protocol to conduct illicit financial transactions.

The masterminds behind SharkBot carefully release limited functionality versions on Google Play to carry out their plans while concealing their real motives. By deceiving consumers into downloading the apps without thinking, this strategy successfully hides the malicious nature of the software, increasing mobile device threats.

Recent disclosures by ThreatFabric security experts have revealed a fresh method used for the same thing. This approach purposely avoids Google’s app analysis tools, avoiding their inspection. As a result, malicious applications or APKs can sneak onto consumers’ handsets and compromise their devices’ perceived security.


The Road Ahead


The landscape of Android malware is always changing; therefore, users and developers must maintain increased awareness in the context of these Google Play security challenges. Hackers have shown their versatility and skill by utilizing dynamic code loading and versioning techniques. It is crucial that consumers take caution when downloading applications and that developers follow Google’s strict requirements in order to stop such sneaky intrusions as we travel this digital frontier.




Considering that Android malware slips onto Google Play Store, there is a necessity for ongoing improvements in security procedures. The difficulties that the Play Store and the larger Android systems are facing are made clear by Google’s findings. Our most effective defenses remain knowledge and proactive tactics as we prepare for the uncharted territories of cyber attacks. 

In case of any queries, you can always contact us at Tux Care, our experts are always there to guide you!

The sources for this piece include an article in Bleeping Computer.


Unveiling How Android Malware Slips Onto Google Play Store
Article Name
Unveiling How Android Malware Slips Onto Google Play Store
Learn how Android malware slips onto Google Play store controls. Google reveals tactics, versioning, and dynamic code loading.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter