Page 79 - Cyber Defense eMagazine September 2023
P. 79
The multi-step approach of the underlined experiment circumvents vetting policies and makes IMUTA
successful, a quick overview is provided in Fig.1. Through this attack, researchers were able to collect
and exfiltrate private user data to their command-and-control server. The key to their success is
incremental malicious updates that apparently builds trust with the server causing no alarms to be raised.
Why this attack is dangerous
This attack is dangerous for several reasons. It evades Google Play Protect security mechanisms by
exploiting its relatively lenient trust policies allowing package distribution and feature updates. It exploits
users’ trust in the Google Play Store, which is a safe and authentic source of applications. Users are
unlikely to suspect that an application downloaded from Google Play Store could become malicious
through updates. Users may also grant permissions to the application without checking its functionality
or content.
It is not certain that these kinds of attacks are just specific to the Google Play store, and this cannot be
assumed that other application distribution platforms are immune. According to the researchers, the
chosen voice search application is just one example and can be simultaneously replicated in other
popular or sensitive applications such as banking, social media, or healthcare applications.
These kinds of attacks are complex, sophisticated, persistent, and remain undetected for an extended
period of time. They can be used for various malicious purposes, such as financial gain, political gain,
and sabotage. Moreover, the collected data can be used to perform identity theft, fraud, blackmail,
phishing, or espionage.
What Google should do to prevent it
There should be a reevaluation of vetting policies in order to improve the security posture of Google Play
to protect its users. For instance, a significant portion of such attacks can be blocked by acquiring
information on the updated application module from a developer individually and calculating the similarity
index based on the code similarity of the earlier version with the new variant. This similarity index will
help to spot significant differences and flag suspicious updates.
Moreover, the updated code should be merged directly with the previous version instead of replacing an
application entirely. Currently, a new version entirely replaces the older version, which increases the
chances of dynamic code loading and reduces the trackability over malicious injections.
In addition, the security mechanism deployed by Google should perform critical analysis of application
updates with the same rigor as initial applications, including checking for maliciousness, hidden intents,
requested permissions, provided functionality, and comparing the code of published versions of the
application and its updates.
Finally, it is essential to educate users about the risks of downloading and updating applications from any
source, even from Google Play Store. They should be encouraged to review each application's
permissions, functionality, and content before installing or updating it. In order to ensure the security and
Cyber Defense eMagazine – September 2023 Edition 79
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
