Phoney Android security apps in Google Play Store found distributing malware, tracking users


Smartphone users download security applications to help protect their device and data from cyber attacks and hackers.

But attackers can also exploit for their own ends, as demonstrated by a total of 36 phoney security tools discovered in the Google Play store for Android which instead of protecting the user, served up malware, adware and even tracked the location of the device.

Uncovered by researchers at Trend Micro, various apps advertised themselves as providing security and other useful capabilities including cleaning junk files, saving battery and more.

See: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

However, in addition the malicious apps also sneakily harvested user data, tracked their location and repeatedly and aggressively pushed advertising onto the screen.

Malicious apps posing under names including Security Defender, Security Keeper, Smart Security, and Advanced Boost managed to slip past Play Store defences and onto the devices of Android users – it’s likely that by offering a handful of useful services to users and obfuscating their malicious activities, the apps were able to pass the verification process by appearing to look like legitimate tools.

After installation, the malicious apps are designed to operate via push alerts which display alarmist warnings on intrusive pop-up windows. Once the app is running, the malware repeatedly bombards the user with fake security warnings.

While these look as if they could be legitimate notifications from a mobile device, these warnings are entirely fake, added by the attackers in order to make the app look as if it is operating as advertised. Those behind the malware even add an extra layer of believability to the notifications by displaying animations which claim problems have been ‘resolved’ after the user clicks on an alert.

However, nothing has actually been improved, but rather interacting with these notifications leads to aggressive adverts appearing on the device: almost every action on a phone infected by this malware leads to a pop-up for the purposes of providing revenue from ad display and click fraud to the attackers.

In addition to collecting ad revenue, researchers note that the malicious apps are also capable of collecting vast swathes of data about the device, including Android ID, the network operator, the brand and model of the device and even the location of the user.

While it’s unknown as to why the attackers are collecting this information, it remains a huge breach of user privacy – especially given how the victim has downloaded the app in order to protect themselves from attackers, not play into their hands.

Google has been notified of the 36 malicious apps and they’ve since been removed from the Play Store. It’s not clear how often the apps were downloaded by users: ZDNet has approached Google for comment, but at the time of publication hadn’t received a reply.

In order to avoid falling victim to intrusive malware, Trend Micro recommends users to carefully examine permissions of apps – because an app which demands extensive permissions in order to perform basic tasks might be something sinister.

“Be aware of the scope of app permissions. Apps sometimes require more than the basic default permissions. Make sure the installed apps only have access to features they need,” said researchers.