Almost two million Androids infected by FalseGuide malware, masquerading as game guides

Not the first botnet-based badware to be found on Google Play…

David bisson
David Bisson

Almost two million Androids infected by FalseGuide malware, masquerading as game guides

A malware family known as FalseGuide masqueraded as game guides on Google Play to infect nearly two million Android devices.

Mobile threat researchers spotted the malware hiding in more than three dozen guide apps available for download on Google’s Play Store. Some of these apps had been around since mid-February 2017. Several of the affected programs boasted more than 50,000 installations at the time of discovery.

Falseguide 415x1024
An app containing FalseGuide malware on Google Play. (Source: Check Point)

Why gaming guides, you might ask? Check Point’s Oren Koriat, Andrey Polkovnichenko and Bogdan Melnykov have the answer:

Sign up to our free newsletter.
Security news, advice, and tips.

“FalseGuide masquerades as guiding apps for games for two major reasons. First, guiding apps are very popular, monetizing on the success of the original gaming apps. Second, guiding apps require very little development and feature implementation. For malware developers this is a good way to reach a widespread audience with minimal effort.”

FalseGuide is similar to other Android malware like DressCode (and its successor MilkyDoor) in that it seeks to build a botnet of compromised devices. It collects a new victim by obtaining admin privileges from the device owner, superuser rights which it uses to avoid deletion by the user. It then registers itself to a Firebase Cloud Messaging topic, thereby allowing the fake app to receive messages containing links to additional modules.

One add-on allows FalseGuide to display out-of-context pop-up ads. Others could leverage the overall strength of the botnet to launch distributed denial of service (DDoS) attacks and penetrate private networks.

Clearly, mobile botnets will continue to surface on Google’s Play Store. With that in mind, users should protect themselves by reading the reviews of any app before they install it, including programs found on the Play Store. These comments usually disclose suspicious behavior.

If users decide to install an app, they should review its permissions carefully before they finalize the download process. There’s no reason an app like a game guide requires admin permissions. Not now. Not ever.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Almost two million Androids infected by FalseGuide malware, masquerading as game guides”

  1. Jason Jacobs

    I didn't even download any games someone else has downloaded all kinds of apps and I keep changing emails and still I can't stop it. I think I know who has access and who can access my accounts they have added a iPhone on my Google account and they have a Samsung A20 just like the one I just bought. I dont know much about phones or computers I just can't seem to fix this problem

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.