A malware family known as FalseGuide masqueraded as game guides on Google Play to infect nearly two million Android devices.
Mobile threat researchers spotted the malware hiding in more than three dozen guide apps available for download on Google’s Play Store. Some of these apps had been around since mid-February 2017. Several of the affected programs boasted more than 50,000 installations at the time of discovery.
Why gaming guides, you might ask? Check Point’s Oren Koriat, Andrey Polkovnichenko and Bogdan Melnykov have the answer:
“FalseGuide masquerades as guiding apps for games for two major reasons. First, guiding apps are very popular, monetizing on the success of the original gaming apps. Second, guiding apps require very little development and feature implementation. For malware developers this is a good way to reach a widespread audience with minimal effort.”
FalseGuide is similar to other Android malware like DressCode (and its successor MilkyDoor) in that it seeks to build a botnet of compromised devices. It collects a new victim by obtaining admin privileges from the device owner, superuser rights which it uses to avoid deletion by the user. It then registers itself to a Firebase Cloud Messaging topic, thereby allowing the fake app to receive messages containing links to additional modules.
One add-on allows FalseGuide to display out-of-context pop-up ads. Others could leverage the overall strength of the botnet to launch distributed denial of service (DDoS) attacks and penetrate private networks.
Clearly, mobile botnets will continue to surface on Google’s Play Store. With that in mind, users should protect themselves by reading the reviews of any app before they install it, including programs found on the Play Store. These comments usually disclose suspicious behavior.
If users decide to install an app, they should review its permissions carefully before they finalize the download process. There’s no reason an app like a game guide requires admin permissions. Not now. Not ever.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.