“Beaver Gang Counter” malware ejected from Play Store

Thanks to Jagadeesh Chandraiah of SophosLabs for his work on this article.

Here’s another cautionary tale from Google Play.

The good news is that the malware in this story has now been removed by Google; the website it used to collect stolen data is offline; and a cautious user would probably have avoided the app in the first place.

The bad news, of course, is that the app fooled Google’s security checks, received Google’s imprimatur, and was accepted into the Play Store at all.

Here’s what you would have seen, back in May 2016 when no more than 10 people had tried the app, if you’d clicked on a link promoting it:

Image from 2016-05-12T23:22:16Z, recovered from the Googleusercontent cache

Beaver Gang Counter may sound an unlikely name for an app with an Entertainment – Everyone classification.

But if you are an avid post-modern gamer (by which we mean games of the board-and-card game sort that are quite deliberately played off-line and face-to-face), you might think it worth taking a look at.

Beaver Gang is a strategic card game for young and old, a contemporary spot of old-school gaming fun.

And fans of modern card and board games aren’t averse to apps that help them keep track of their gameplay, not only for fun but also to help them review the best strategies for the future.

What harm?

What harm to try out an apparently benign app that already has Google’s blessing?

When you run Beaver Gang Counter for the first time, you’ll probably spot the mistake that escaped the attention of reviewers from both Google and the cybercrooks:

There’s a spelling mistake right there in the main menu.

Even if you overlook that faux pas, and try to use the app, you’ll soon realise that you might as well not have bothered, because it doesn’t really do very much…

…so you’ll probably uninstall it and move on.

By then, however, it would be too late.

The Beaver Gang Counter malware explicitly targets users of Viber, a popular app that lets you make free calls, send free text messages, and more.

Like competing apps such as WhatsApp and Skype, you can make video calls, share images and join in multi-person chats.

According to Google Play, Viber currently has somewhere between 500 million and one billion installs, so there are plenty of Viber-equipped Android devices out there.

Once you load it, the Beaver Gang Counter malware raids your Viber directories and starts uploading your images to a website run by the crooks:

The malware raids your Viber directories and steals your images

Android apps can’t usually read each others’ data files, to prevent this sort of data-stealing malware from doing its dirty work.

But many apps store large files, such as videos, music and images, on your removable storage, usually an SD card.

That’s not only for convenience (so you can easily move them to other devices) but also to save space on the device itself (so you can install more apps).

Unfortunately, files on external storage aren’t locked down to specific apps by Android’s security subsystem.

Apps can read everything or nothing from your SD card, depending on whether they asked for the READ_EXTERNAL_STORAGE permission at install time.

If you’re wondering why Android doesn’t take as much trouble with SD card security, it’s because SD cards are supposed to be easy to remove and use in other devices, often to share data with completely different apps running on completely different operating systems. Locking individual files to specific apps on one device makes much less sense in that sort of environment.

What next?

We don’t think this malware seriously troubled anyone, and Google ejected it from the Play Store once its illicit “call home” behaviour became known.

Nevertheless, this story teaches us three things:

  1. Cybercrooks regularly manage to slip past Google Play’s up-front security checks.
  2. Apps can permanently harm your privacy, even if you only try them out briefly.
  3. External storage is less secure under Android than the storage in your device itself.

What to do?

  • Avoid apps with a poor or non-existent reputation. Don’t trust an app about which no one yet seems to know anything.
  • Stick to Google Play if you can. Despite this and other recent failures, it’s still safer than unregulated Android markets where anything goes.
  • Consider using an Android anti-virus. The Sophos product is free, and protects you automatically from malicious and low-reputation apps.
  • Avoid storing personal or private data onto your SD card. Android protects your data more strongly against malware when the data is stored on the device itself.