Samsung’s official Android app store, called the Galaxy Store, has had an infiltration of riskware apps that triggered multiple Play Protect warnings on people’s devices.
As reported first by Android Police, the malicious apps mimic ShowBox, a pirate app that went bust in 2018, after a coalition of movie studios managed to identify its operator and filed lawsuits against him.
ShowBox and its “sibling” MovieBox enabled users to access copyright-protected movies and TV shows without paying for a membership subscription to the legitimate broadcasters.
Scammers bet on the popularity of the pirate app, and indeed their cloned apps enjoyed a welcoming reception by the Samsung user community.
Infringing and risky
According to mobile security analyst “linuxct“, these apps trigger a Google Play Protect warning because the apps request access to risky permissions that could allow the installation of malware on the Android device.
If the user grants those requests, the apps are allowed to access contact lists, call logs, execute code, fetch malware payloads click on ads, and more.
After analyzing the apps, Linuxct found ad technology that could be exploited to perform remote code execution, allowing it to be abused to execute commands on the device.
Multiple anti-virus engines on VirusTotal detect samples of these apps as riskware, trojan, ad clicker, or generic malware.
These clone apps were advertised as streaming apps, promising anonymous access to protected content via an integrated VPN tool.
According to Android Police, at least some of these apps did actually offer the promised pirate functionality at some point.
That said, from a legal perspective, Samsung should have rejected these apps for what they claim to be, even if they weren’t posing any other risk.
However, the Samsung Galaxy Store review only vets the submitted apps for malware functionality or malicious behavior, so copyright infringement isn’t a consideration.
Since these apps don’t feature nasty code “out of the box”, they are not treated as malicious and weren’t rejected from the store.
We have reached out to Samsung for a comment on these reports and we will update the post as soon as we hear back from them.
Although the Google Play Store isn’t 100% free from malware or riskware uploads, it remains the safest choice for sourcing Android apps.
In general, pirate apps, either free or paid, pose a legal, security, and privacy risk for their users, and the projected savings/benefits aren’t worth the potential consequences of using them.
These risks are especially true when an app asks for such wide-ranging permissions that allow it to perform commands and access information it should not need to operate.
If you installed one of the ShowBox clones via the Galaxy Store, remove them immediately and run a full scan through a mobile security tool to uproot any potential remnants.