Google is tightening security on Android, aiming to close the gap with Apple’s iOS by enhancing its Play Store and restricting sideloading. These measures include the upcoming introduction of live threat detection in Android 15 via Play Protect. However, security risks remain significant, as recent reports reveal. New malware variants continue to target Android users, even within the Play Store, emphasizing that stronger defenses are still needed.
Kaspersky recently issued a warning about modified versions of popular apps like Spotify, WhatsApp, and Minecraft. These apps, often downloaded outside the Play Store, are being used to spread the Necro Trojan, an evolving malware first reported in 2019. Originally found in CamScanner, which had over 100 million downloads on the Play Store, the Trojan has reappeared in new, more dangerous forms, hidden within both legitimate apps and unofficial app mods.
The new iteration of the Necro Trojan is more sophisticated, using advanced techniques to avoid detection. It can download apps, control device functions, and even sign users up for unwanted paid services. The malware has been found not only in unofficial app sources but also within popular Play Store apps like Wuta Camera, which had millions of downloads. This underscores that even official apps can be compromised, making vigilance crucial for users.
Cleafy has also flagged a banking Trojan called TrickMo, an evolution of TrickBot, which has been updated with anti-analysis mechanisms to better evade detection. This malware, first discovered in 2019, is delivered through a fake Chrome browser update. Once installed, it tricks users into enabling accessibility services, posing as a legitimate version of Google Play Services to hijack the device.
TrickMo’s capabilities are dangerous and wide-ranging, including intercepting one-time passwords (OTPs), screen recording, keylogging, and remote control of the infected device. Cleafy emphasizes that the Trojan’s ability to mimic trusted apps like Google Play Services makes it especially effective in deceiving users. As a result, even official updates need to be scrutinized for authenticity.
A third report from ThreatFabric highlights Octo2, a variant of the Octo malware, which is itself an evolution of the Exobot family. Octo2 is particularly dangerous due to its advanced obfuscation and remote access capabilities. Masquerading as trusted apps like Google Chrome and NordVPN, Octo2 is spreading globally through malware-as-a-service models. Its ability to hijack push notifications and steal credentials is concerning for users worldwide.
Octo2 continues the trend of evolving malware that adapts to new security measures. By targeting apps with large user bases, it manages to steal sensitive data without alerting the user. Researchers warn that Octo2 is expected to replace its predecessor seamlessly, benefiting from established distribution channels and leveraging its new capabilities to further its reach.
In response to these threats, users are advised to adhere to strict safety practices. This includes sticking to official app stores, checking developer credentials, and avoiding granting unnecessary permissions, particularly to trivial apps. Regularly reviewing installed apps and enabling Play Protect are essential steps in reducing the risk of infection. Even as malware evolves, these best practices remain a reliable first line of defense.
