AL2022_83 New malicious Android apps spotted on the Google Play store (6th December 2022)

Description  

Some new malicious android apps were recently discovered to have infiltrated Google Play store, infecting devices with malware, adware and apps with phishing tactics. 

Summary 

This recent surge has amounted to over two million downloads in total according to research done by the team at Dr. Web. The apps that were discovered were seen pretending to be utilities, optimizers and get-paid-to apps that ultimately leads to a degrade in performance and user experience, ads and stolen information. 

One app that has accumulated over one million downloads is called TubeBox, which is still available on the Google Play store as of December 4, 2022. This is a get-paid-to app that claims users can earn monetary rewards for watching videos (more specifically YouTube videos) and ads through its platform however there are no rewards, and it is a trap to get users on the app for as long as possible to generate revenue for the developers of the app. Some other adware apps that appeared in October 2022 that had an extended number of downloads were: 

  1. ‘Bluetooth device auto connect’ by (bt autoconnect group) with 1,000,000 downloads 

  1. ‘Bluetooth & Wi-Fi & USB driver’ by (simple things for everyone) with 100,000 downloads 

  1. ‘Volume, Music Equalizer’ by (bt autoconnect group) with 50,000 downloads 

  1. ‘Fast Cleaner & Cooling Master’ by (Hippo VPN LLC) with 500 downloads 

According to the researchers at Dr. Web, the apps mentioned above receive commands from Firebase Cloud Messaging and load websites specified in these messages, generating specific, fraudulent ads in the compromised devices. In addition, the ‘Fast Cleaner & Cooling Master’ app has the ability to be configured as a proxy server, therefore allowing the developers to direct traffic through the compromised device. 

The final discovery by the researchers shows over ten Russian loan scam apps claiming to have a relationship with Russian banks and investment groups, with each having over ten thousand downloads. These apps were said to be promoted through malvertising and promise users investment profits and high income however the app makes use of phishing sites to collect users' personal information. 

Remediation  

To protect against fraudulent apps on Google Play store, Android users are advised to always verify the authenticity of apps and only download from reputable developers. It is also advised to always check reviews for apps and the privacy policy to verify what information is being collected by the app. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.     

PDF Download: Malicious Android apps spotted on the Google Play store.pdf

References