Scareware found hidden in Google Play apps downloaded by millions

Days after installation the apps started displaying fake warning messages promoting other rogue apps and services

Google has done a good job at keeping data-stealing Trojan apps out of Google Play, but attackers still find ways to monetize rogue apps through the store.

Avast Software researchers recently found three apps on Google Play with hidden adware functionality that was designed to activate days after the apps were installed. The rogue applications -- a game called Durak, an IQ test and a history app -- had been downloaded millions of times.

When people first install Durak, it looks and acts like a normal gaming app, Avast researcher Filip Chytry said in a blog post Tuesday. "This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device."

Specifically, every time users unlock their phones, the app displays persistent ads claiming the device and its data are at risk.

Users are asked to act, but if they do, they run into real trouble, according to the researcher. For example, they may get redirected to questionable app stores and to apps that surreptitiously attempt to send premium text messages on behalf of the users. People may also encounter apps that collect too much of their information without offering much value.

If this sounds familiar, it's because the scheme is similar to the highly effective scareware scams that have plagued PC users for years by spooking them into installing rogue antivirus programs or system optimization tools using fake warnings.

Delaying the warning messages for several days is a clever technique by the rogue developers because users will have a hard time determining which app is responsible for the alerts, and that's assuming they even suspect that the messages are triggered by an app.

Also, apps uploaded to Google Play are scanned inside an Android emulator called Bouncer to observe their post-installation behavior. By delaying the malicious activity, the app authors likely hope to bypass this behavior-based analysis.

"I believe that most people will trust that there is a problem that can be solved with one of the apps' advertised 'solutions' and will follow the recommended steps, which may lead to an investment into unwanted apps from untrusted sources," Chytry said.

In some cases the rogue ads directed users to legitimate security apps that were also hosted on Google Play, probably in an attempt to earn money through referral schemes.

"These security apps are, of course, harmless, but would security providers really want to promote their apps via adware?" Chytry said. "Even if you install the security apps, the undesirable ads popping up on your phone don't stop."

Google has removed the three offending applications identified by Avast from Google Play. However, the incident shows that although Trojans account for most Android malware, other types of threats also lurk on the official app store.

Google didn't immediately respond to a request for comment.

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile securityscamsmalwareAvast Software

More about AvastGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place