A common practice in the world of cybercrime is to make malware look like versions of apps. Picture: Reuters

Cybercriminals are seeking new ways to hide in phones and compromise devices, says ESET Southern Africa.

Below are some of the common behaviours of malicious Android code over the last few years.

Use fraudulent accounts in the Play Store to distribute malware

Malware in the official Google store never stops appearing. For cybercriminals, sneaking their malicious applications into the marketplace of genuine apps is a huge victory, as they can reach many more potential victims, thus having an almost rock-solid guarantee of more infections.

What’s more, the fake developer accounts used to spread insecure or malicious apps try to look as similar as possible to real accounts, to dupe unsuspecting users who end up getting confused by them. In a recent example of this, researchers discovered a fake app for updating WhatsApp that used a Unicode character trick to give the impression of being distributed through the official account

Take advantage of commemorative dates and scheduled app release dates

A common practice in the world of cybercrime is to make malware look like versions of apps – games, mostly – that have gained sudden popularity, which are either scheduled for release or are not available in official stores for certain countries. This happened with Pokémon GO, Prisma and Dubsmash, adding hundreds of thousands of infections worldwide.

Tapjacking and overlay windows

Tapjacking is a technique that involves capturing a user’s screen taps by displaying two superimposed apps. So, victims believe that they are tapping on the app that they are seeing, but they are actually tapping on the underlying app, which remains hidden from view.

READ: 7 tips on how not to fall victim to cybercrime

Another similar strategy, which is widely used in spyware for credential theft in Android, is overlay windows. In this scam, the malware continually tracks the app that the user is using, and when it coincides with a certain objective app, it displays its own dialog box that looks just like the legitimate app, requesting credentials from the user.

Camouflaged among system apps

By far, the easiest way for malicious code to hide on a device is to pass itself off as a system app and go as unnoticed as possible. Malpractices such as deleting the app icon once the installation is finished or using names, packages and icons of system apps and other popular apps to compromise a device are strategies that are emerging in code like this banking Trojan that passed itself off as Adobe Flash Player to steal credentials.