Scareware found hidden in Google Play apps downloaded by millions

Days after installation the apps started displaying fake warning messages promoting other rogue apps and services

Google has done a good job at keeping data-stealing Trojan apps out of Google Play, but attackers still find ways to monetize rogue apps through the store.

Avast Software researchers recently found three apps on Google Play with hidden adware functionality that was designed to activate days after the apps were installed. The rogue applications -- a game called Durak, an IQ test and a history app -- had been downloaded millions of times.

When people first install Durak, it looks and acts like a normal gaming app, Avast researcher Filip Chytry said in a blog post Tuesday. "This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device."

Specifically, every time users unlock their phones, the app displays persistent ads claiming the device and its data are at risk.

Users are asked to act, but if they do, they run into real trouble, according to the researcher. For example, they may get redirected to questionable app stores and to apps that surreptitiously attempt to send premium text messages on behalf of the users. People may also encounter apps that collect too much of their information without offering much value.

If this sounds familiar, it's because the scheme is similar to the highly effective scareware scams that have plagued PC users for years by spooking them into installing rogue antivirus programs or system optimization tools using fake warnings.

Delaying the warning messages for several days is a clever technique by the rogue developers because users will have a hard time determining which app is responsible for the alerts, and that's assuming they even suspect that the messages are triggered by an app.

Also, apps uploaded to Google Play are scanned inside an Android emulator called Bouncer to observe their post-installation behavior. By delaying the malicious activity, the app authors likely hope to bypass this behavior-based analysis.

"I believe that most people will trust that there is a problem that can be solved with one of the apps' advertised 'solutions' and will follow the recommended steps, which may lead to an investment into unwanted apps from untrusted sources," Chytry said.

In some cases the rogue ads directed users to legitimate security apps that were also hosted on Google Play, probably in an attempt to earn money through referral schemes.

"These security apps are, of course, harmless, but would security providers really want to promote their apps via adware?" Chytry said. "Even if you install the security apps, the undesirable ads popping up on your phone don't stop."

Google has removed the three offending applications identified by Avast from Google Play. However, the incident shows that although Trojans account for most Android malware, other types of threats also lurk on the official app store.

Google didn't immediately respond to a request for comment.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Googlesecuritymobile securityscamsmalwareAvast Software

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?