Google Play Store maintains high standards of security while allowing anyone to upload apps but recently a Russian hacking group named “Sandworm” has been caught for uploading fake apps on the reputable Google Play store.
This came into the light when the issue was captured by the TAG (Google Threat Analysis) group. TAG has made the observation public in CyberwarCon Conference in Arlington, Virginia. These Russian based hackers were also responsible for planting malware inside the US electric utilities in 2014, they also conducted operations that triggered blackouts in Ukraine.
Another most costly attack register on the name of “Sandworms” is ‘NotPetya’. Besides this, there are many attacks by the same group which are unnoticed yet. Billy Leonard from Google said that “Sandworm was using Ukraine as a testing ground, a proving ground for new activities.” He also disclosed that Google has found in December 2017 that the “Sandworm” hacking group was also creating fake versions of Korean Android apps like media, transit schedules, and finance software.
Google states in a blog that the 1st attack took place in South Korea in December 2017. The “Sandworm” group made use of many fake accounts on the name of developers and upload around 8 different types of apps on the Google Play Store.
On the face of it, the campaign failed. Fake developers were able to collect only 10 installs per app. However, there is also a possibility that they have selected target downloaders. Again, these hackers attacked in September 2017 and were caught in the eyes of TAG uploading the fake version of UKR which is an email app.
The hacking group continues to trick the Android apps, that in 2018, the group tried inserting backdoors in the existing and legitimate apps. The location they chose was Ukraine. Thankfully, Google Play Protect saves users from being infected at the right time. “That had been their first foray into Android malware,” says Leonard. “As in the past, Sandworm was using Ukraine as a testing ground, a proving ground for new activities.”
It is not the first time that a hacking group tries to break into the developer’s key to inject their malware but the attacks of the “Sandworm” group are significant because that group claims that they are connected with the Russian government.
Google has also confirmed that it has removed all the associated Google accounts and 15+ YouTube channels due to this incident. Google also assures the users that they are continuously monitoring the space.
Like this, there were many campaigns found in Indonesia as well. “Sandworm” group itself exists since 2014, forming one of the middle-aged groups of Russian hacking history. Looking back at the history, Russian groups were also connected with countries like China and Iran, so it wouldn’t be fair to solely connect it with the Russian government.