Home / Blogs

Damaging Malware Uncovered in the Google Play Store

Android users can choose from 3.718 million applications in the Google Play Store.

When installing applications, the majority of consumers trust Google to keep their devices safe from hackers.

However, the reality is different.

Just back in May 2023, researchers discovered over 101 infected applications in the Android store. Many of these apps counted over 400 million downloads.

According to Statista, 71% of malware downloaded to Androids via the official app store have escalation privileges. Other common strains are spyware and Trojan malware.

Here are four types of malware that were recently found in the Google Play Store.

How did they infect user phones, and what is Google doing to improve the security and vetting process within their application store?

That’s what we’re here to find out.

#1 Two Chinese Spyware Apps

In July 2023, Chinese spyware was uncovered, hidden behind two seemingly legitimate applications in the Google Play Store. Users would install the data-collecting malware either via infected file management or data recovery apps.

Both applications claimed not to collect personal (or any other type of) user data.

However, it gathered large volumes of sensitive data. This included contact lists, user location, the brand of their device, the type of operating system they use, the name of the network provider, media files, and more.

Copies of the files were sent globally—for the most part, to multiple China-based servers.

Using install farms, the hackers made it seem as if the app had been downloaded by a large number of users—making it seem trustworthy.

As a result, 1.5 million genuine users were infected by this spyware hosted on two apps.

#2 Crypto Stealing Malware CherryBlos

In July 2023, researchers found that users were accidentally installing the crypto-stealing malware known as CherryBlos via Google Play Store, right after installing the application for mining crypto known as SynthNet.

CherryBlos belongs to Android family malware, and it’s capable of stealing your crypto wallet data using the pictures saved on your phone.

To do so, CherryBlos malware relies on optical character recognition (OCR). It scans the photos for mnemonic phrases that crypto users rely on to recover or enter their crypto accounts.

After the malware obtains credentials of the victim’s crypto wallet, it also switches the address of the user to withdraw money.

This cyber attack affected Android users globally.

The most vulnerable group for this type of hacking were users with disabilities who rely on screen readers and those who saved information about their cryptocurrency account in photo form—instead of a password manager vault.

#3 Adware Disguised as Games

In August 2023, 2.5 million users installed applications infected with adware from versatile gaming apps in the Google Play Store. Researchers discovered 43 applications that contained this hidden adware.

A couple of infected gaming applications were Super Skibydi Killer, Rainbow Stretch, and Agent Shooter.

Most infected users weren’t aware that the malware was on their phones. Normally, the first sign of adware is the overwhelming number of ads that pop up and cover the screen. This was not the case here.

When the user turns off their screen, the application would push a large volume of ads on the Android phone. Cybercriminals used this tactic to generate revenue via ads.

The victim would not see these ads, but they probably noticed that their battery was draining at a rapid pace.

#4 SecuriDropper Malware

Four recent malware strains found in the Google Play Store are Chinese Spyware, CherryBlos, android adware disguised as games, and SecuriDropper malware.

In November 2023, an evolved type of malware, classified as Android dropper malware, was discovered in the Google Play Store. It’s dubbed SecuriDropper.

SecuriDropper is a Trojan that manages to evade most of the restrictions settings that an Android has. This security measure is there to prevent applications from directly seeking accessibility settings from the user.

Therefore, the endgame of this malware was to install other kinds of malware on the targeted device.

For example, in one attack, the hackers used the initial malware infection to install spyware known as SpyNote—which has the functionality of a remote administration tool.

Threat actors would then exploit the access to steal sensitive user information and install other types of malware.

Unlike other malware cases in this article, users get a Trojan via other sources—such as phishing sites but believe they’re installing it directly from the Google Play Store.

Why Is Fighting Malware in Google Play Store An Uphill Battle?

Many Android users are unaware that hackers bypass the security and regulations Google set to prevent malicious programs in its app store. It’s difficult to uncover all the malware that is delivered via Google apps.

We might talk about a malicious program that exploits zero-day vulnerabilities. They go undetected because tools can’t pick up on them.

Another common way malware gets on Android phones is through later updates of an application. In that case, the user installs an app that is not infected, but the threat actor delivers a malicious program with updates that follow.

To evade Google’s security checks in this stage, the criminal releases the code alterations and updates using a third-party server.

Users install malware-infected apps in the first place because they’re disguised as trusted apps—often even as an antivirus application.

What Is Google Doing to Protect Users From Mobile Malware?

Google already has a vetting process and security standards that an application needs to meet to get into the Google Play Store. This detects applications that are riddled with malware from the start.

Even the patches and updates issued by the applications are rigorously assessed before being released to the public.

The most recent security measure they’ve introduced is real-time app scanning. This new feature of Play Protect is designed for users to easily scan the applications in real-time. And make sure they’re safe before they install them on Android devices.

However, this is not a foolproof solution because bad actors continue to find new ways to evade security protocols and infect applications—making them challenging to catch.

By Evan Morris, Network Security Manager

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global