Malware pretending to be legitimate software is one of the oldest tricks in the hacker book. You download an app hoping it does what it says it does and it just loads your phone with ads or spying programs instead. But what do you do when an app performs its intended function while doubling as malware on the down low? The latest mobile threat tip from security company Malwarebytes details a real shopping app that's also real Android malware.
Secret Shopper
The fake Taobao Client, designated Trojan.FakeUpdates.f by Malwarebytes, purports to be an update for the real Taobao, a popular Chinese shopping app. By claiming to be an update, the malware hopes users of the legitimate app will download this imposter as well. Unsurprisingly, it's available for download on unregulated third party app stores.
Here's where things get tricky. The fake Taobao Client works just like the real deal. You can actually use it for shopping. With other malware, the broken promise is what immediately lets victims know that something is wrong, but not so here. However, something is wrong. As you use the fake Taobao Client, unaware of its true dangerous nature, it begins executing its additional malicious code. This code runs on receiver and service names that start with "com.google" to hide its existence, and it can install more, potentially dangerous app on your device under your nose.
Taobao Client isn't the only legitimate Chinese app with a shockingly convincing malware counterpart. Malicious code has also been found in Huawai Hotalk and other Chinese apps. This incident also reminded us of the recent drama over XcodeGhost. In that case, well-intentioned developers were using a bootleg version of Apple's app-creating software and inadvertently infecting their real iOS apps with malware.
Staying Safe
If even the most seemingly trustworthy and functional apps on third party markets can still be secret malware, that should tell you that the Google Play store, the official source, is the only safe place to download Android apps. And to make your Android phone or tablet as safe as it can possibly be, get one of the best Android antivirus apps. When even the apps that work can still be malware, what's real anymore, man?