Google has recently pulled 36 fake security apps from Google Play, after they’ve been flagged by Trend Micro researchers.
Posing as legitimate security solutions, and occasionally misusing the name of well-known AV vendors like Avast, the apps seemed to be doing the job: they showed security notifications and other messages, warned users about malicious apps, and seemingly provided ways to fix security issues and vulnerabilities:
But, it was all an act: the notifications are bogus, and the apps used simple animations to trick users into believing the discovered issues were resolved.
The apps’ real goals was to bombard users with ads and entice them to click on them, as well as covertly collect information about the user, the device, the OS, the installed apps, and track the user’s location, and upload all this information to a remote server.
Some interesting findings
Once installed on a target device, these fake apps had the ability to prevent themselves from appearing on the device launcher’s list of applications, and from showing an icon of device’s screen. But, that trick was, for some reason, not designed to work on specific devices.
“The excluded devices are: Google Nexus 6P, Xiaomi MI 4LTE, ZTE N958St and LGE LG-H525n. It is possible the malware developers knew that this tactic would not work on these devices, or they wanted to avoid being checked by Google Play during inspection periods,” the researchers noted.
Another interesting fact is that users who downloaded and installed one of these apps were asked to agree to a EULA (end-user license agreement) that describes the information that will be gathered and used by the app.
The researchers offered the usual advice of being careful to download apps only from trusted sources. Unfortunately, even Google Play cannot be trusted completely to deliver only legitimate, non-malicious apps.
Another piece of advice is to review carefully which permissions the app requires, and see if they are needed for it to provide the stated capabilities.
Thirdly, check the reviews and comments left by other users, and check whether the named developer seems legit. For example: an app named Avast Security that isn’t developed by Avast should make you suspicious.
The researchers have provided a list of app names, package names and SHA256 hashes of these fake security apps, so that users can check whether they have actually installed one or more of them.
The list is extensive, as it includes hashes for different versions of the same apps, most of which were found on Google Play. Nevertheless, Trend Micro detects all of them, as the malicious apps, with small changes in their code, may be also be distributed by third-party app stores or forums.