The new Carberp-in-the-Mobile (CitMo) apps found on Google Play masqueraded as mobile applications from Sberbank and Alfa-Bank, two of Russia's largest banks, and VKontakte, the most popular online social networking service in Russia, Maslennikov said. Kaspersky contacted Google on Wednesday and all CitMo variants were deleted from the market by Thursday, he said.
However, the fact that cybercriminals managed to upload these apps to Google Play in the first place raises questions about the efficiency of the app market's anti-malware defenses, such as the Bouncer anti-malware scanner announced by Google earlier this year.
"It seems that it's not that hard to bypass Google Play's defenses because malware continues to appear there regularly," Maslennikov said via email.
Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, believes that it might be hard for Google's Bouncer to detect ZitMo, SpitMo or CitMo components because they are functionally similar to some legitimate applications.
"The mobile version of the Trojan is only responsible with hijacking the received SMS and forwarding its contents to a different recipient, and this behavior is also found in legitimate applications, such as SMS management apps or even applications that allow the user to remotely control their devices via SMS in the event they get stolen or lost," he said via email. "SMS interception is a feature that is well documented on forums, along with sample code. If the same sample code is used both in malicious and legit applications, it would be even harder to detect and block."
The ability to use Google Play to distribute SMS stealing apps offers advantages to cybercriminals, Botezatu said. First of all, some user devices are configured to only install apps obtained from Google Play. Also, users are generally less suspicious of apps downloaded via Google Play and pay less attention to their permissions because they expect the applications to be what their descriptions claim they are, he said.