Google Play spyware apps target business travellers

Malware authors have once again succeeded in bypassing Google's security vetting processes, and planted four spyware applications in the company's Play app store.

Security vendor Lookout alerted Google to the existence of four apps incorporating the Overseer spyware, which exfiltrates information from users' Android devices.

Google removed the apps from the Play store after Lookout notified the online giant about the threat.

The Overseer malware was found in an embassy finder tool. Overseer targets foreign travellers, Lookout said, and could be used to spy on executives on business trips.

Lookout said it identified the spyware in collaboration with an unnamed enterprise customer. 

Overseer was also found in two Russian and one European news apps. Lookout noted that they had been downloaded relatively few times and had reviews from fake accounts, indicating that the apps were planted in Play to distribute Overseer.

Once installed on a user's Android device, Overseer collects and exfiltrates a large amount of information over encrypted communications to hide the transmission from network monitoring and intrusion detection solutions.

This includes all contacts with full details, user accounts and the software installed on the Android device.

Data that identifies the device hardware and its capabilities, the network operator used, location and the cellular base-station it is connected to were also collated and sent, along with information on whether or not the smartphone is rooted and contains "sideloaded" software from unofficial app stores.

Lookout said Overseer uses the Facebook Parse Server hosted on Amazon Web Services as its command and control server. Using a popular, United States-based cloud service allows the spyware to further hide itself from network security solutions, Lookout said.

Several types of malware have made it into Google Play over the years, including the device-rooting "Goodless" which installs a backdoor to download unwanted adware and which infected an estimated 850,000 Android devices worldwide.