Security researchers at Kaspersky Lab have identified a sophisticated new Android malware strain dubbed GhostHook that can evade Google Play Protect's real-time scanning capabilities. The malware has been found embedded in at least 12 apps on the Google Play Store, collectively downloaded over 3 million times before being detected and removed.
GhostHook uses a novel technique that delays the execution of its malicious payload until several days after installation, avoiding the behavioral analysis that Play Protect performs during and immediately after app downloads. Once activated, the malware can intercept SMS messages, capture banking credentials, and record screen activity without triggering any user-visible notifications.
Google said it has updated Play Protect's detection algorithms and removed all identified apps from the store. Users who may have installed the affected apps, which primarily masqueraded as PDF readers and QR code scanners, should check their installed app list and run a manual Play Protect scan. Security experts recommend limiting app installations to well-known publishers and reviewing app permissions carefully before granting access to sensitive device functions.
