Scammers put a fake Android security patch app in Google Play to infect smartphones.
The bogus patch, packaged as an app, was briefly available in Google Play and purported to fix the so-called QuadRooter bugs that were revealed by security firm Check Point last week.
QuadRooter consisted of four bugs that affect as many as 900 million Android smartphones with Qualcomm chips inside. Devices could be compromised if users installed a malicious app that exploits the bugs. Google has released patches for three of the four bugs, and will provide a patch for the fourth bug in a future update.
But while the fixes are already available for Google’s own Nexus devices, it’s still not known which handsets from Google’s Android partners have received the update. Likely though, very few. Sony last week promised to soon release the patch for certain Xperia devices, according to Android Authority.
Perhaps exploiting the uncertainty about which devices will receive the Android security updates, scammers published two Android apps on Google Play that claimed to fix QuadRooter flaws but instead serve unwanted ads.
According to security firm ESET, Google has now pulled the two offending apps from Google Play. Both were both called “Fix Patch QuadRooter” from a publisher Kiwiapps Ltd.
ESET researchers said it is the first time fake Android security patches have been used to lure potential victims. The same ruse has been employed to infect Windows systems with malware, but on Android a more common cover for spreading malicious apps is to rig bogus versions of popular games.
Lukáš Štefanko, an ESET researcher is concerned if this technique sets a trend.
“What worries me, for example, is that fake patches – on top of having the potential to really attract users’ attention – have a valid reason to require every possible permission,” noted Štefanko.
“If an app promises to make any fix to your system, it’s a scam,” he added.
Google has stepped up pressure on Android device makers and carriers to more promptly deliver patches it creates, however the only devices that are guaranteed to receive Google’s monthly security updates are its own Nexus line.
Devices from other manufacturers, particularly older models, often never receive the patches. This confusion over timing and delivery arguably could prompt concerned Android owners to go in search of a security fix.
Google meanwhile has assured Android users that its Verify Apps feature, which is on by default in Android 4.2 and above, could block malicious apps that attempt to exploit the QuadRooter flaws. However, the only real fix is a patch that contains fixes for all four bugs.