It’s incredible to see the growing awareness about cybersecurity and the necessity of a security suite among Android users. However, many users install a free security suite to stay safe and protect themselves from monetary loss, not realising that the free product will not provide the necessary protection.
We are not asserting that all the free apps do not do what is promised, but quite undeniably the increasing temptation around free stuff hands the cyber thugs opportunities to hoodwink users. As a result, cybercriminals are ramping up efforts to obtain access to victim devices through a plethora of deceptive techniques.
The segments for free security apps, games, entertainment apps, and tools available on the Google Play Store are even more gruesome. Rogue apps categorized under these popular segments are encouraging the cyber underworld to develop adware/PUP and Trojans to aim high, celebrate, and keep going.
Recently we happened upon one adware dubbed Virus Remover in Google Play Store, disguising itself as an Anti-Virus software.
The Virus Remover app, as seen in the Play Store, is shown in the screengrabs below.
Digging deeper, we found the app carries a static list of JSON files to blacklist or whitelist an APK file or an activity in an APK as shown in Image 2, but the app claims to provide real-time protection.
In the following screenshot you can see a snippet of the app’s source code showing the portion where it’s loading the JSON files.
Looking further, we saw that many other fake apps of this kind are seen in the official Play Store. Virus Remover and other fake apps (listed in a later part of this blog) have identical code, as shown in the screengrab below, to scan for only one package name called “com.machupichu.maxespecial” to flag as malware.
The app hints at its suspicious intent numerous times during its execution. For instance, you can see in Image 6 that the app skips listing the much-required update feature for updating the virus definitions.
Even though at this point in time, these apps do not exhibit any explicitly malicious behavior apart from being essentially useless, and therefore misleading, and displaying annoying advertisements, sooner or later, they might turn more perilous. Before you get victimized by any such activities, we recommend the following suggestions to Android smartphone users, to avoid falling prey to fake applications:
- Read the user review comments in the Google Play Store carefully before installing any app.
- Avoid installing apps that carry the tag “Contains Ads” especially in security products.
- Cross-check the reputation of the developer of the security product by going through their ratings.
- In the case of security products, look for the following features and information to be protected against fake Anti-Virus apps.
- Update – to download the latest virus definitions
- Product information – version, update version, last updated date & time
- Product is updated at regular intervals
- If the Anti-Virus app does not conform to the requirements shown under point 4 above, we recommend uninstalling it immediately. You may wish to also provide feedback on the Play Store to help prevent the ensnaring of other potential victims.
For your reference, below is another example of a fake Anti-Virus app.
Anti malware 2018 virus scanner,Cleaner 513a9c9a8b9ff0d405807c301cdaa4af Trojan ( 0054e2511 )
Yet more of the same ilk are:
|Application Name||Hash||K7 Detection Name|
|Virus Remover||59b3bcd801bf772c3281f1cf1fc1b4cf||Trojan ( 0054f1151 )|
|Real Antivirus & Cache Cleaner||3109b317c81b2f19584d022006b1ec13||Adware ( 005333641 )|
|Antivirus for mobile 2019||28f35f0cdb12780bf1379952959c9099||Trojan ( 0054e2511 )|
|Rudraum Thumb2thief||0d58b1eeb4140c76a0be05419ecc6df1||Adware ( 005333641 )|
|Antivirus Free 2019 – Virus|
|80240df4a16e8b95188af75b45594813||Adware ( 005333641 )|
|Free Antivirus 2019 Booster &|
|96df0f51284aeee52395bd341c75e124||Trojan ( 0054e2511 )|
|Bonybytes Device Security &|
|0216521c7c1756a585c4bff9368f3c49||Adware ( 005333641 )|
|Anti malware 2018 virus Scanner,|
|70839fac2baa36940760f6a8683bdb79||Trojan ( 0054e2511 )|