The latest Android security vulnerability, dubbed Janus, uncovered malicious actors that can bypass app signatures and inject malicious code into Android apps. Plus, malware-infested mobile apps again are on the rise.

GuardSquare security researchers discovered the vulnerability (CVE-2017-13156), which put millions of Android devices in danger, last summer and reported it to Google, which patched the hole among four dozen vulnerabilities as part of its December Android Security Bulletin.

“This vulnerability is significantly different as it would allow an attacker to augment or inject code into an application on a non-rooted device without disrupting the application's signature. For example, this could mean changing the behavior of a banking app to exfiltrate credentials,” mobile app security expert, Rusty Carter, VP of product management at San Francisco-based application protection solution firm Arxan, said.

Carter added, “This example is evidence that these vulnerabilities DO exist and without protection, app users, creators and owners run the risk of an attacker finding that next 0-day. As such, organizations with apps must be sure they are implementing anti-tamper technology within their apps.”

GuardSquare wrote in its blog, “Although Android applications are self-signed, signature verification is important when updating Android applications. When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update. The updated application inherits the permissions of the original application.”

Another San Francisco firm, digital threat management solutions provider RiskIQ, in its Q3 mobile threat landscape report, saw an increase in blacklisted apps over Q2, the continued issues of imitation and Trojan apps in official app stores, and the emergence of the massive WireX mobile botnet.

RiskIQ's Q3's analysis confirmed feral apps and the Google Play store are the most abundant sources of malicious apps each quarter. However, Google's percentage of malicious apps overall decreased and fell to a low of 4% in Q3 after reaching a high of 8% in Q2.

In third place, secondary store AndroidAPKDescargar had comparable numbers to Google and feral apps. In Q3, it more than doubled its number of malicious apps from Q2 to 20,907, making up about one-third of its total app count and outpacing all other stores by more than 10,000.

Malicious apps spread through mimicking others that are popular. Antivirus, dating, messaging, and social networking apps are favorite targets. “The Google Play store, in particular, is fertile ground for these attacks,” RiskIQ explained.

Coinciding with the increase in dangerous/imitation apps, Q3 also saw the emergence of a mobile botnet attack, known as WireX.

In August, RiskIQ, Akamai, Cloudflare, Flashpoint, Google, Oracle Dyn, Team Cymru, and others collaborated to take down the new threat, affecting the devices of at least 70,000 Android users globally. After a short development stage, on Aug. 17, the botnet struck several content delivery networks with between 130,000 and 160,000 unique IPs observed from 100-plus countries. These apps masqueraded as media and video players, ringtones, and storage managers. Once installed, they activate hidden functionality to communicate with command and control servers and launch attacks, whether the app is in use or not.

The group identified about 300 apps tied to WireX, including a subset found in official app stores, such as the Play store. Google moved to block these apps and remove them from all Android devices.

However, the botnet is not dead, and researchers are still encountering examples of its malicious apps in the wild. “Securing the mobile app ecosystem continues to be a challenge for app stores of all sizes, but efforts to improve version control, monitor for abuse, employ verification techniques, and offer security education can help,” Mike Wyatt, director of product operations at RiskIQ, said. “Tracking the use of brand names and likeness is an equally daunting challenge for corporations. Brands should evaluate and implement solutions that constantly monitor their digital footprint online and in mobile app stores.”