The apps, 36 of them, managed to collect the data and send it to a remote server.
36 malicious apps have been discovered in the Google Play Store. The Android apps faked their appearance as security tools, but in reality, they actually harvest data on smartphones and track the user’s locations. Security researchers discovered the malicious apps and they said that the apps had been offering users different kinds of services. Trend Micro noted that the apps purported that they offer services such as cleaning junk, saving battery and scanning for viruses. The apps also alleged that they can cool the CPU, lock apps, WIFI security, message security and many more other things.
The apps were identified as Security Defender, Guardian Antivirus, Smart Security, Security Keeper, Deep Cleaner, and Advanced Boost. There are more apps on the list. Some of the apps actually did perform the task they were parading to be supporting. However at the same time, as they were giving services, they were also bombarding users with advertisements and also secretly collecting data from users. In some cases, they even tracked the user’s locations.
According to the security researchers, once the app was installed on the device it would not show on the list of application, neither would it have a shortcut pop up. The malware’s hide function was made to run on different devices using the Android system. The malware was made to explicitly stop working on devices such as the Google Nexus 6P, LGE LG-H525N, Xiaomi MI 4LTE and the ZTE N958St. Reasons, why the hackers did not make the malware work on these devices, are speculative. It could be the hackers did not want to be detected by Google Play during the strict inspection periods. Another reason might be they didn’t think the malware would work on the devices mentioned.
Once a user installed the malware and the fake apps, they would just receive fake security notifications and warnings. Writing about their research, the researchers mentioned that if any user installed a different app, the fake app would show it up as suspicious. The fake app could also send a notification such as 10.0 GB files are being wasted, and naturally, the user would be forced to act. However, all these would be fake news as the fake app aimed to gain some legitimacy.
The authors of the malware attempted to make the notifications received from the fake app as believable as possible, according to the researchers. If a user clicked on an option to resolve the issue reported, the fake app would put up a screen showing that the issue was solved.
Besides the fake security and data, users were also overwhelmed with advertisements. Any and every action they attempted on their devices would be accompanied by an advertisement by the fake apps. The advertisements acted in an aggressive manner and they showed up at any time. If there was a pop-up notification to charge the phone, they came. If the user wanted to unlock their screen, the advertisements would also pop up. Every action the user does was accompanied with advertisements. One of the apps aims was click bait and fake ad display.
The apps also prompted users to sign in and agree to an end user license agreement which described the information which was gathered and also used by the app. The researchers concluded that the data collection was illegal because none of the functions of the app warranted any data needed. The apps managed to collect data from users and send it to a remote server.
Trend Micro managed to notify Google about the fake apps back in December when they discovered them. And thankfully, the fake apps have all been removed from the Google Play Store.