Google Play App Store on Pixel 3 XL Android Phone, with Notch
Google Play App Store on Pixel 3 XL Android Phone, with Notch (Photo: Tony Webster/Flickr)

Security researchers from Wandera recently issued a haunting report. They discovered a horror game called "Scary Granny" lurking surreptitiously on Google Play. While this game looks unassuming on the surface, it packs a load of malicious code under the hood. According to Wandera, the game is programmed to steal user information and passwords without the user's permission.

While majority of malicious Android apps usually target users of third-party app stores, "Scary Granny" is completely different. What sets it apart from other malicious apps is the fact that it was able to bypass Google's strict security and approval to be able to be listed on its Google Play Store.

It is almost impossible to upload a malicious app into the Google Store. Google understands that its online app store is a prime target for hackers and malicious users, which is why it implements strict security protocols in order to comb through these apps. Nevertheless, despite these security efforts, hackers can sometimes find a way to bypass these measures.

"Scary Granny" used two unique techniques to bypass Google's security. First, it mimicked a popular Android game "Granny," which has clocked more than 100 million installs. Once the game was approved by Google to be listed on the Play Store, it did not release its payload right away. It employed patience and quietly sit there until it was the right time to unload its evil plans.

According to Wandera security engineers, the game waited for several days before it released some of its malicious activities. By doing so, the app was able to boost its number of potential victims as unsuspecting users continue to download it into their devices.

Aside from those practices, the malicious code was actually hidden beneath a legitimate game. This is relatively rare since most malicious apps are poorly crafted. By hiding the payload underneath a fully legitimate game, users did not saw this immediately as a threat.

Once it had garnered enough installs, the game started to unload its payload. From this point on, unwanted ads would pop up. These ads are disguised to look like legitimate transactions as it asks the user to pay for the game. The app also employed a number of phishing attacks.

According to Wandera, more than 50,000 users installed "Scary Granny" before Google took it out of the Play Store. Both Google and Wandera did not provide the actual number of users that were affected by the malicious app.