14 DAY TRIAL // About 2 million Android users have mistakenly installed malware on their devices straight from Google Play, the company's official app store.
According to cybersecurity researchers from Check Point, the malware was hidden in more than 40 fake companion guide apps for popular games, such as Pokemon GO and FIFA Mobile, which led to the malware's name being FalseGuide.
While originally it was believed the oldest fake guide to hit Google Play was uploaded in February this year, making this a recent campaign, the researchers went a little deeper and discovered additional apps from back in November 2016.
FalseGuide was believed to have infected north of 600,000 users, but the number now sits at 2 million Android users, all of whom have mistakenly downloaded and installed malware on their devices while seeking guides for their favorite games.
After infection, FalseGuide creates a silent botnet out of the infected devices for adware purposes.
"FalseGuide requests an unusual permission on installation - device admin permission. The malware uses the admin permission to avoid being deleted by the user, an action which normally suggests a malicious intention. The malware then registers itself to a Firebase Cloud Messaging topic which has the same name as the app. Once subscribed to the topic, FalseGuide can receive messages containing links to additional modules and download them to the infected device," the report shows.
A complicated campaign
After some investigation, the company figured out the botnet was being used to display illegitimate pop-up ads out of context, using a background service that starts running once the device is booted. "Depending on the attackers' objectives, these modules can contain highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks."
The apps were posing as guides for FIFA Mobile, Lego Nexo Knights, Lego City My City, Rolling Sky, Terraria, World Of Tanks, Drift Zone 2, Mobile Legends, Criminal Case, Subway Surfers, Pokemon Go, Dream League Soccer, Super Mario, Amaz3ing Spider Man, Ninjago Tournament, and so on.
Mobile botnets have been growing in popularity since early last year, the researchers note. This type of malware manages to infiltrate Google Play due to the non-malicious nature of the first component, which only downloads the actual harmful code.
The FalseGuide apps have been removed from the app store.
Updated to include commentary from ESET:
“This is an interesting discovery on the Google Play store with a huge number of installs, however the real question is how it got through Google security systems. I believe it managed to get to the Play Store due to a missing payload – which displays unwanted adds – that was downloaded not using typical HTTP protocol but Firebase Cloud Messaging (FCM). But that isn’t the worst thing, an attacker using this payload could not only display aggressive advertisement but also download additional apps or even malware with excessive permissions. We at ESET detect this threat as Android/TrojanDownloader.Agent.JR,” said Lukáš Štefanko, malware researcher at ESET