Cutely named apps siphon user data from phones

Here's a reminder of the ease with which crooks can hide their malware in popular app hubs.
(Marco Verch / Flickr)

The mobile applications have innocuous-sounding names like Flappy Birr Dog and Flappy Bird, but something sinister lurks inside.

Spyware masquerading as those Android apps and others were downloaded over 100,000 times from the Google Play store last year, cybersecurity company Trend Micro said Thursday. Google has removed all of the apps from the store, but the episode is a reminder of the ease with which crooks can hide their malware in popular app markets.

The spyware is capable of siphoning call logs, SMS conversations, and clipboard items from a user’s phone, according to Trend Micro. Users in scores of countries around the world were affected, researchers said, with a third of infections taking place in India.

The so-called MobSTSPY spyware uses a cloud-messaging service to send the stolen information to a command-and-control server, registering the infected device. The malware then lies in wait for the attacker to send it commands from the server, Trend Micro said.


The malware can also steal credentials by using fake Google and Facebook pop-up screens, according to the research.

“If the user inputs his/her credentials, the fake pop-up will only state that the log-in was unsuccessful,” the Trend Micro blog says, “at which point the malware would already have stolen the user’s credentials.”

Google has been playing whack-a-mole with malware in its app store for some time. In 2017, security specialists removed roughly 700,000 malicious apps from the store.

But the problem of vulnerable apps creeping into stores isn’t unique to Google. In September, Apple had to pull a popular app from the Mac Store after researchers showed it was surreptitiously sending user data to a company in China.

The Trend Micro research shows that app stores remain a logical attack vector for hackers.


“The popularity of apps serves as an incentive for cybercriminals to continue developing campaigns that utilize them to steal information or perform other kinds of attacks,” the researchers wrote.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts