top of page

Malicious Actors Exploit Versioning to Target Android Users

We discuss this very thing in our Ethical Hacking and Forensic courses! In the ever-evolving landscape of cybersecurity, threat actors are constantly devising new tactics to evade detection and infiltrate unsuspecting victims. A recent technique gaining notoriety is versioning, a cunning strategy that circumvents Google Play Store's malware defenses to target Android users with a stealthy and elusive approach.

Highlighted in the August 2023 Threat Horizons Report by the Google Cybersecurity Action Team, campaigns employing versioning have a common objective: to gain unauthorized access to users' sensitive credentials, data, and financial resources. While versioning itself is not novel, its discreet nature makes it a challenging adversary for security measures.

Here's how versioning works: Initially, a developer releases an innocuous version of an app on the Google Play Store, meticulously crafted to pass through Google's rigorous pre-publication checks. However, the seemingly harmless app is later updated with a concealed malware component. This manipulation is orchestrated by sending an update from an attacker-controlled server, which employs a technique known as dynamic code loading to deliver malicious code onto the target device. Effectively, the app transforms into an inconspicuous backdoor, ready to compromise the user's device.

As reported in The Hacker News and Alien Vault, an illustrative case of versioning-based malware came to light when ESET uncovered a screen recording app named "iRecorder - Screen Recorder." Interestingly, the app maintained its benign facade for nearly a year before malicious alterations were surreptitiously introduced. This allowed the app to covertly spy on unsuspecting users, highlighting the covert potency of the versioning tactic.

SharkBot serves as another alarming example of the nefarious applications of dynamic code loading. Posing as security and utility apps, SharkBot is, in reality, a financial trojan that conducts unauthorized money transfers using the Automated Transfer Service protocol. This malware strain has made repeated appearances on the Play Store, further emphasizing the challenge of identifying and eradicating such threats.

To augment security in an enterprise setting, the need for a defense-in-depth approach becomes evident. This includes prudent measures such as restricting application installation to trusted sources like Google Play or implementing robust mobile device management (MDM) platforms for corporate devices. Such precautions can help minimize the potential risks posed by versioning-based attacks.

Malware operators exploit a vulnerability in Android, manipulating app components to make malicious apps appear benign. By corrupting specific segments of an app while keeping the entire application seemingly valid, cyber criminals can maintain a façade of legitimacy. This allows them to keep multiple apps published simultaneously, with only one app acting maliciously while others serve as backups, ready to take over if a take-down occurs. This tactical maneuver extends the longevity of their campaigns, streamlining the distribution process for malicious droppers.

For Android users seeking to safeguard their devices, adhering to a few key practices can prove instrumental. Sticking to trusted sources for app downloads and enabling Google Play Protect ensures proactive notifications in case a potentially harmful app is detected on the device.

In the ever-evolving cat-and-mouse game between cyber criminals and security experts, the emergence of versioning as a sophisticated technique underscores the need for vigilance and a comprehensive security approach. By staying informed, adopting best practices, and leveraging the protective measures offered by Google Play Store, users can fortify their defenses against these elusive and stealthy threats.

10 views0 comments

Recent Posts

See All


bottom of page