ESET researchers discovered that CepKutusu.com, a Turkish alternative Android app store, has been spreading malware under the guise of all offered Android apps.
When users browsed the Turkish alternative app store CepKutusu.com and proceeded to downloading an app, the “Download now” button led to banking malware instead of the desired app. A few weeks after ESET researchers turned to the store’s operator with the discovery of the attack, the store ceased the malicious activity.
Although ESET researchers found the misdirection from a legitimate app to the malicious one to be general – meaning that every single app was set to be replaced with the banking malware – the crooks behind the campaign added an exception.
Probably to increase the chance to stay longer under the radar, they introduced a seven-day window of not serving malware after a malicious download.
In practice, after the user downloads the infected app, a cookie is set to prevent the malicious system from prevailing, leading to the user being served clean links for next seven days. After this period passes, the user gets redirected to malware once they try to download any application from the store.
The malicious app distributed by the store at the time of the investigation was remotely controlled banking malware capable of intercepting and sending SMS, displaying fake activity, as well as downloading and installing other apps.
When installed, the malware doesn’t mimic the app the user intended to install. Instead, it imitates Flash Player.
Lukáš Štefanko, a malware researcher at ESET who specialises in Android malware and who discovered the malware-distributing app store, says this is the first time he’s seen an entire Android market infected like this.
“Within the Windows ecosystem and in browsers, this technique is known to have been used for some time but in the Android ecosystem, it’s really a new attack vector.”
He adds that this particular case is most probably a test. “The crooks misused their control of the app store in the simplest manner. Replacing the links to all apps with a link to a single malicious app requires virtually no effort – but it also gives the store’s customers a fair chance to detect the scam.
“If you got lured into downloading a popular game and ended up with Flash Player instead … I think you’d uninstall it straight away and report the issue.
“This might explain why we have seen only a few hundred infections.”
So far researchers have come up with three possible scenarios for who launched the attack, Štefanko says.
It could be an app store built with the intention to spread malware; a legitimate app store turned malicious by an employee with bad intentions; or a legitimate app store that has become a victim of a remote attacker.
ESET advises that users take a few steps to protect themselves: download apps from official app stores; be cautious when downloading content from the Internet; and use a reliable mobile security solution.