Full Report
Over 300 malicious Android applications downloaded 60 million items from Google Play acted as adware or attempted to steal credentials and credit card information. [...]
Analysis Summary
# Incident Report: Malicious 'Vapor' Android Apps on Google Play
## Executive Summary
A large-scale campaign involving "Vapor" malware was discovered utilizing numerous seemingly legitimate apps distributed via the official Google Play Store, leading to approximately 60 million installations worldwide. The malware employed sophisticated evasion techniques, disabling its launcher icon, bypassing modern Android security protections, and executing malicious overlays for advertising fraud and credential harvesting (Facebook, YouTube). Response involved immediate user advisories to uninstall the apps and run security scans.
## Incident Details
- **Discovery Date:** Not explicitly stated, but implied shortly before the reporting date (Bitdefender analysis publicized).
- **Incident Date:** Ongoing campaign involving apps installed up to 60 million times.
- **Affected Organization:** Google Play users globally.
- **Sector:** Mobile Technology / Consumer Software Distribution.
- **Geography:** Global (due to Google Play distribution).
## Timeline of Events
### Initial Access
- **Date/Time:** Campaign period spanning the duration of the 331 malicious apps' presence on Google Play.
- **Vector:** Malicious application submission to the official Google Play Store.
- **Details:** Apps installed up to 60 million times globally.
### Lateral Movement
- Not applicable in the traditional sense, as the attack vector targets the individual infected mobile device rather than internal network infrastructure.
### Data Exfiltration/Impact
- Displaying full-screen, exit-preventing ads (ad fraud).
- Displaying fake login screens for widely used services (e.g., Facebook, YouTube) to steal credentials.
- Prompting users for credit card information.
### Detection & Response
- **How it was discovered:** Analysis performed by Bitdefender.
- **Response actions taken:** Public advisories issued recommending users immediately uninstall identified malicious apps and run full system scans using Google Play Protect or other mobile AV products.
## Attack Methodology
- **Initial Access:** Distribution via Google Play Store under benign "Vapor" or renamed app appearances (e.g., Google Voice).
- **Persistence:** The malware disables its `Launcher Activity` in `AndroidManifest.xml` after installation, making the app icon invisible. It also removes itself from 'Recent Tasks.'
- **Privilege Escalation:** Bypassed `SYSTEM_ALERT_WINDOW` permission restrictions on Android 13+.
- **Defense Evasion:** Used native code to launch a secondary hidden component while keeping the main launcher disabled, bypassing newer Android security measures designed to prevent dynamic launcher disabling.
- **Credential Access:** Displayed fake login screens targeting Facebook and YouTube credentials.
- **Discovery:** Not specified beyond initial installation.
- **Lateral Movement:** Not applicable to network movement.
- **Collection:** Harvesting user credentials (Facebook, YouTube) and credit card details via overlaid phishing forms.
- **Exfiltration:** Implied data theft resulting from harvested credentials and financial input.
- **Impact:** Ad fraud, financial loss potential, and user data compromise.
## Impact Assessment
- **Financial:** Potential revenue loss/fraud due to aggressive ad placements and credential theft; costs associated with remediation for affected users.
- **Data Breach:** Harvesting of user credentials (Facebook, YouTube) and credit card information.
- **Operational:** Interruption of mobile usability for affected users due to fullscreen, inescapable overlays.
- **Reputational:** Potential reputational harm to Google Play Store security vetting processes.
## Indicators of Compromise
- **Network indicators:** Not explicitly detailed in the provided text (URLs/IPs were not featured).
- **File indicators:** The 331 known malicious package names/APKs, referenced in a linked CSV file.
- **Behavioral indicators:** Disabling the launcher activity, creating fullscreen overlays, disabling the 'back' button, and running processes hidden from 'Recent Tasks.'
## Response Actions
- **Containment measures:** Users advised to uninstall the malicious applications immediately.
- **Eradication steps:** Encouraged running a complete system scan with Google Play Protect or other mobile AV products.
- **Recovery actions:** (Implied) Users must change credentials harvested via fake login screens and monitor financial accounts.
## Lessons Learned
- Malicious actors continue to find ways to circumvent modern Android security patches (e.g., bypassing protections against dynamically disabling launchers or overlay restrictions).
- Relying solely on official app stores does not guarantee safety, as sophisticated deceptive apps can pass initial vetting.
## Recommendations
- Users should exercise extreme caution when installing new, unfamiliar apps, even from Google Play.
- Users should scrutinize app permissions and regularly compare the displayed app icon list against the full list in Settings → Apps.
- Google must continually update vetting processes to detect advanced evasion techniques, such as chaining native code execution with manifest manipulation to bypass security sandbox features.