Google Play’s first line of defense against malware was circumvented by attackers who managed to sneak a malicious app called “Black Jack Free” into the official app store. The app was discovered by Lookout Security and removed by Google last week. Lookout estimates that 5,000 people downloaded the app that can siphon financial data from phones, intercept SMS messages and drop additional malicious apps onto a targeted phone.
Google relies on the automated system called VerifyApps to vet apps submitted to the Google Play app store. It isn’t perfect, but security experts say they are surprised that something as glaring as a banking Trojan was able to slip past Google’s defenses.
“The greatest danger to Android users are apps downloaded from third-party stores,” said Christoph Hebeisen, manager of security research and response at Lookout. “What this Trojan shows is that people, even when behaving sensibly and only downloading apps only from Google Play, can still get hit by malware.”