Android users usually download and install applications from the Google Play store through several interactions with the service–including viewing the app’s description and granting permission requests by the app. This confirmation procedure helps us avoid installing malicious and potentially unwanted apps.
However, McAfee recently found a suspicious app on Google Play that almost automatically downloads, installs, and launches other apps from Google Play without these interactions. This automatic installation occurs with the Google account’s authorization tokens, provided by the user only once, which communicates with Google Play URLs in an unofficial way.
This app, which has been removed from Google Play, targets Japanese users and allows them to download and view adult movies in return for installing at least five apps among a list of more than 10 provided by a remote server. None of these apps are malicious. It appears the app does this just to get pay-per-install affiliate rewards in an easy–and possibly prohibited–way that betrays advertisers. It’s possible the remote server might later change the list of apps and replace them with malicious ones, though we have not yet seen such behavior.
Next the app grabs the Google account information on the device and requests that the user authorize the app to access Google services using the AccountManager.getAccountsByType() and AccountMangaer.getAuthToken() APIs. In this case, two privileges, SID and LSID, are requested; these allow the app to access various Google services including the store. These authorization tokens are stored by the app for later use and are also cached for a while by the Android system. Thus until they expire, this authorization request will not be repeated when user next launches the app.
Once these privileges are granted, the app accesses and interacts several times in an unofficial way with the URLs managed by Google Play. We suspect that the app developer somehow reverse-engineered the protocol used in the Google Play service. Through these HTTP communications, such as retrieving cookies, the app obtains a token to directly request the download of any free apps on Google Play and initiates their automated installation.
Normally users install apps manually from Google Play and can open an app’s description page, check the permission requests, and reject an installation. None of that is possible with this app. Finally the app launches all the installed apps once their installations have finished.
Allowing this kind of app installation invites terrible results if this technique is abused by malicious developers; they can silently install other malicious apps on Google Play onto a user’s device and automatically launch them to run harmful code, without giving the user any opportunity to reject the installation. Users can still bar access to the SID and LSID of their Google accounts when prompted, but malware could offer a legitimate reason or a reward to convince users to approve requests, and allow the app to later install other malware or unwanted apps using the stored authorization tokens.
This automatic installation is allowed thanks to users granting GET_ACCOUNTS and USE_CREDENTIALS permission requests by the app. As previously mentioned, granting these permissions gives the app a powerful position on users’ accounts (and possibly the accounts of services other than Google). Users should be very careful when any unfamiliar app requests these permissions at installation, and also when such apps request access to privileges to a device’s Google account at runtime. Allowing privileges to malicious apps could cause terrible damage to devices and privacy.
McAfee Mobile Security detects this potentially risky app as Android/BadInst.A.