Android users might have put themselves in danger and not even know it. It’s estimated that over 600,000 users accidentally downloaded malware from Google Play. The malware, once downloaded, attempts to create a botnet which then brings fraudulent mobile adware and earns money for the cybercriminals responsible for the malware’s creation.
Cybersecurity researchers at Check Point discovered the sneaky malware and named it FalseGuide. The malware is hidden within over 40 fake companion guide applications for app games like Pokemon GO and FIFA Mobile. Check Point also found that the oldest of the malware was put on Google Play around February 14th of this year.
What makes things worse is the fact that several of the apps have been downloaded more than 50,000 times. It’s also believed that over 600,000 android user mistakenly downloaded this malware thinking it was a guide for their games.
But this isn’t the first time Google Play has been harboring some bad bugs. In fact, other malware like Viking Horde and DressCode tried to create Android botnets just as FalseGuide is doing now.
What happens is that the FalseGuide malware attempts to create faulty mobile adware. It will download and display what appears to be legitimate pop-up adverts with the purpose of bringing cash to its creators through ad display. Once it’s been downloaded, the FalseGuide malware will then request admin permission. This allows the malware to ensure that it cannot be deleted by the user.
That’s one way to tell that an app is up to no good.
But this isn’t known when it uploads itself to Google Play. That’s the main point of the malware’s creation is go in undetected. The only time it is suspected as fraudulent is after it has been downloaded into the user device, and the user has given it admin permission.
After it’s been installed into the device, the malware will then send notifications with the name like “Guide for Pokémon Go.” It has already registered itself to Firebase Cloud Messaging which is a cross-platform service that gives the creators permission to send these notifications.
The use of Firebase is what the FalseGuide malware depends on in order to receive additional modules and download those to the user’s device. FalseGuide’s pop-up ads will almost always be out of context and will use background service that starts the minute the infected device boots up.
Yet it is not just making money through ads that the malware developers can use FalseGuide for. In fact, it can receive other instruction modules from the command-and-control server. Those instructions can have the malware create botnets to root the device, conduct a DDoS attack, or even sneak into private networks.
The real question is who is behind the creation of the FalseGuide malware? It is suspected that the app originated from Russia due to the fact that they were submitted under Russian name of two fake developers—Sergei Vernik and Nikolai Zalupkin—but Russian-speaking researchers say that the latter is clearly a false name. So there’s really no telling who created it.
It is obvious why they chose Google Play apps for their target audience. The games are very popular and generate a large audience. There’s also the fact that the apps do not need much when it comes to features and development, so making them is rather easy.
Check Point told Google back in February that it had an unwanted visitor. Google then quickly removed the malware from the Play Store. Yet even after the malware was removed, its creators didn’t seem to give up. They kept uploading more malware apps into the Play Store around April. Once again Check Point notified Google who had the malware removed once again.
A Google spokesperson commented on the matter saying that the company is always “making improvements to our system.” Google’s spokesperson also wanted users to know that the company takes threats like this one very seriously and “tries to take immediate action whenever a questionable app is brought to our attention.”
FalseGuide has once again been removed from the Google Play Store, but it’s possible that traces of it still survive due to the vast number of installs it’s had since its creation. While Google, and companies like it, do everything in their power to protect the billions of its users, malware like FalseGuide will always find a crack in the armor to slip through.