Verified Android developer licenses are being sold in an Internet black market for $100 each, giving buyers unfettered access to the official Google Play app store.
So far, there's only been one buyer, but he's a maker of mobile banking Trojans, security blogger Brian Krebs revealed this week. It's may just be a matter of time before the buyer uses the verified licenses to sneak corrupted apps into the Google Play store.
If so, both legitimate and malicious apps could appear in Google Play under the same publisher's name, fooling app buyers into downloading or purchasing malware.
Google charges only $25 for an Android developers' license, though the applicant must also have a Gmail account and, according to Krebs, a unique Web domain name. Successful applicants get digital signatures that verify the authenticity of their apps.
Krebs said the $100-per-secondhand-license buyer has already made a fairly simple Android mobile banking Trojan called "Perkele," or "devil" in Finnish. Perkele is programmed to intercept two-step-authentication text codes texted to the victim's smartphone from his bank.
Perkele works with existing PC banking Trojans that modify banking websites as the victim attempts to access his online bank account. The altered site prompts users to install a "security certificate" on their smartphones, which is actually Perkele.
Once installed, Perkele secretly waits for the user to log into his online bank account, then copies the two-step authentication code and sends it to the controller of the PC banking Trojan, who uses it to log into the victim's account.
According to Krebs, Perkele targets Citibank, HSBC, ING, Barclays and other financial institutions in 10 countries.
Yet Perkele is hardly the biggest threat out there for Android users. Other banking Trojans, such as Zitmo or "ZeuS in the Mobile," are more dangerous because they manipulate both the PC and mobile connections between the victim and his bank at the same time.
Android users can best protect themselves by paying attention to app-installation permissions and making sure new apps are scanned by Android anti-virus software or by Google's on-phone malware scanner (available only for Android 4.2 so far).
Users should also check their Android security settings to make sure their smartphones or tablets cannot accept app installations from "unknown sources" outside Google Play. That won't stop corrupted Google Play apps, but it will stop lower-level stuff like Perkele.
Unlike Apple, Google lets its app developers test and upload apps to the app store themselves. Google's Bouncer software runs all uploaded software through an emulator meant to catch malicious apps, but malware still gets through.
Generally, when malware or other Android apps that violate Google's terms and conditions are discovered, Google removes all apps by that developer from the Play Store.
It'll be interesting to see what happens if a single developer is tied to both legitimate and malicious apps.