Here’s how malicious Android apps are sneaking malware onto your phone

If you’ve ever wondered why those pesky pop-ups are showing up on your Android phone, you may be shocked to learn that it could be infected with malware — and it might have came through the official Google Play Store.

As Bleeping Computer points out in a new report, malicious app developers have been using a surprisingly successful trick to sneak malware into the Google Play Store, and ultimately onto your phone. The method is performed using something called "droppers," which is a type of code hidden deep within an app that attacks a device with malware in multiple stages.

Droppers can be hard to detect, because they're basically coded into an app. It’s an infection. The dropper itself usually isn’t coded to cause any harm outright. Droppers get its foot in the door and over time downloads the malicious harmful malware to your device.

The reason why dropper deployment is growing is because they’re successful in quietly gaining access to your Android phone. The reason why they’re so successful is because they’re winding up regularly on apps in the Google Play Store.

Droppers essentially act as a trojan horse. When a dropper is coded into an app, it’s fairly benign. With nothing threatening or malicious in the original code, it makes it very difficult to detect. Its purpose at this stage is not to launch an attack on the Android device the app is downloaded to. It’s to gain access. When the app is submitted to the Play Store, Google runs security tests on the device and because the tests find nothing that would cause alarm on the app as-is, the application is usually approved and placed in the Play Store for Android users’ consumption.

Some Malware coders have been so savvy, they've added an additional layer of trickery when coding them. Timers are often added to space out the execution of the malware. Sometimes malware is deployed based on a person’s usage of or permission given to an app.

The existence of droppers dates back well before Android and Android-targeting malware. However, unlike a desktop computer, most smartphones don’t use antivirus software. Cybersecurity companies and research firms have been warning about the growth in use of droppers in the mobile market for some time now. For example, a report by Avast Threat Labs discovered that some Android devices, which are not certified by Google, manufactured by companies like ZTE and Archos, come pre-installed with malware deploying droppers.

Apple’s iOS store requires applications go through a much more stringent testing process before the app becomes available to download on your iPhone. Apple also does not allow iOS apps to download, install, and execute code. This kills the functionality of a dropper, which depends on those later stage future downloads to actually deploy the dangerous malware. If Google is looking to stop malware from finding a way onto its Android devices, they may need to rethink the terms of its Play store and what it allows Android app developers to do.

One thing is for sure. Fighting droppers will be a challenge for Google.