CyberCrimeSecuritySecurity Management

FalseGuide Malware Infects Millions Of Android Devices

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Face palm for Google’s security screening. Source of FalseGuide adware is none other than Google Play store

Security issues surrounding Google’s Android operating system are a weekly occurrence. But when the official app store (not a third party site) is identified as the source of new malware, the embarrassment factor is raised a few notches for Google’s security team.

This seems to be the case after Check Point warned in a blog posting that the originator of the adware known as FalseGuide is none other than Google Play store itself.

And to make matters worse, the security researchers warned that the malware has already infected nearly two million Android devices.

Google, Android © Lyao Shutterstock 2012Millions Infected

The problem for Google has been compounded because the Check Point mobile threat researchers found that the FalseGuide is more extensive than first thought.

The researchers had detected a new strain of malware on Google Play was hidden in at least 45 guide apps for games, developed by “Анатолий Хмеленко.”.

Some of the apps were successfully uploaded to Google Play as long ago as November 2016, and have accumulated “an astounding number of downloads.”

Indeed, the researchers now estimate that there are nearly 2 million infected Android users.

“Check Point notified Google about the malware, and it was swiftly removed from the app store,” blogged Check Point. “At the beginning of April, two new malicious apps were uploaded to Google Play containing this malware, and Check Point notified Google once again.”

The researchers warned that FalseGuide is similar to previous malware found on Google Play, such as Viking Horde and DressCode.

How It Works

It seems that FalseGuide creates a silent botnet out of the infected devices for adware purposes. FalseGuide can be spotted as it tends to request an unusual permission on installation, namely device admin permission.

This allows the malware to avoid being deleted by the user, which should automatically raise anyone’s suspicions.

Once the malware has this permission, it registers itself to a Firebase Cloud Messaging topic which has the same name as the app. It seems that once subscribed to the topic, FalseGuide can receive messages containing links to additional modules and download them to the infected device.

“After a long wait, we were able to receive such a module and determine that the botnet is used to display illegitimate pop-up ads out of context, using a background service that starts running once the device is booted,” said the researchers. “Depending on the attackers’ objectives, these modules can contain highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks.”

The researchers said that FalseGuide disguises itself as a game guide for two main reasons. Firstly guiding apps are very popular, and secondly guiding apps require very little development and feature implementation.

“For malware developers this is a good way to reach a widespread audience with minimal effort. The malicious apps were submitted under the names of two fake developers – Sergei Vernik and Nikolai Zalupkin, suggesting a Russian connection, while the second is clearly (to a Russian speaker) a made up name,” said Check Point.

The researchers warned that mobile botnets are a growing trend and that Android users should not rely on the app stores for their protection.

Android users are encouraged to implement additional security measures on their mobile devices.

Android Security

This is not the first time that malware has been found on the Google Play store, and it be should noted that infected applications are regularly found there in spite of Google’s security screening processes.

Late last year for example Trend Micro discovered the DressCode malware in more than 400 apps on Google Play.

Prior to that malware called CallJam was removed from Google Play, where it posed as a game but made premium-rate calls in the background once installed on a phone.

And this January Check Point revealed a new piece of ransomware called “Charger”, which was downloaded via an infected Android app on the Google Play store.

In March a slew of fake Minecraft mods were discovered on the Google Play Store that, when downloaded, exposed users to scams and aggressive ads.

And then last month researchers revealed that Boost Views on the Google Play store, was found to have the Tojan.Android/FakeApp.FK malware under the guise of providing users with real money in return for views on YouTube.

Quiz: What do you know about Android?