Many may not know it, but in addition to having access to the apps available in the Google Play Store, users of Samsung devices can download and install the applications in the Galaxy Store, the repository of apps specially designed for Samsung smartphones.
Although the tech company has invested a lot of effort in maintaining the integrity of its app store, it was recently discovered that some of these tools would have been infiltrated by threat actors, who now use them for the distribution of a dangerous variant of mobile malware.
According to the Android Police report, the compromised apps mainly include some clones of Showbox, a popular pirate streaming APK whose servers are currently out of operation. These clones are being distributed to hundreds, or even thousands of Samsung device users through the Galaxy Store.
Researcher Max Weinbach began alerting you to this issue when he noticed that some Showbox-based apps available on the Galaxy Store trigger Google Play Protect warnings when downloaded and installed. A detailed analysis of one of these APKs yielded several low-grade alerts in VirusTotal, plus when trying to install it this APK asks for permissions that are too intrusive.
Further analysis concludes that this APK executes dynamic code, so even if it does not contain a malicious payload at the time of its installation, it could subsequently download and execute arbitrary code, which includes malware. It should be noted that dynamic code execution does not have many known legitimate uses, so in practice it is considered a malicious task.
At least three of these Showbox clones available on the Galaxy Store present similar problems, although the existence of more potentially malicious APKs is not ruled out.
Another interesting feature about this campaign is the fact that the developers of these APKs seem to simply exploit Showbox’s reputation, creating clones of the original app to attract users. The Showbox subreddit, without updates for more than two years, confirms that the application is not working and that other similar apps have nothing to do with this project.
On the magnitude of this campaign, experts mention that Galaxy Store does not keep a count of the times an app is installed, so it is difficult to determine how many users have downloaded these clones of Showbox. However, these APKs accumulate thousands of reviews and scores, so there are many users who have downloaded them.
As usual, the best way to prevent any security risks stemming from a malicious app is simply not to install suspicious or downloaded software from unofficial locations, in addition to keeping your devices always up to date.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.