As many as 2 million Android users might have downloaded apps that were infected with the FalseGuide malware, security research firm Check Point warned on Monday.
The oldest of the infected apps could have been uploaded to Google Play as long ago as last November, having successfully remained hidden for five months, while the newest may have been uploaded as recently as the beginning of this month.
The malware has infected nearly 50 guide apps for popular games, Check Point researchers Oren Koriat, Andrey Polkovnichenko & Bogdan Melnykov noted in an online post.
Check Point alerted Google about the presence of the malware, and Google swiftly responded by removing the infected apps from its online app store, they said.
The apps were submitted by two fake developer personas: “Sergei Vernik” and “Nikolai Zalupkin.”
The names may suggest a Russian connection to the malware, Koriat, Polkovnichenko & Melnykov acknowledged, but they also noted that “Zalupkin” would sound made-up to a native Russian speaker.
The infected apps have the potential of being especially dangerous, they said, as FalseGuide could be utilizing a botnet for nefarious purposes — ranging from the sending of adware to conducting a DDoS attack, or even as a way to penetrate a private network.
These high levels are possible because the apps request device admin permission upon downloading. That is an unusual request, and it suggests malicious intent, as it prevents the user from deleting the app. FalseGuide registers itself to a Firebase Cloud Messaging topic with the same name as the app, which allows it to receive additional modules that then create a silent botnet.
The makers of the FalseGuide malware likely wanted it to masquerade as game guides, which are popular and actually build on the monetary success of their related apps. They require very little development time and are limited in feature implementations.
“This FalseGuide Malware did a great job of deploying via a few apps users wanted, and when people granted it top administrative privileges during installation, the malware was planted pretty deeply,” said Jim Purtilo, associate professor of computer science at the University of Maryland.
One reason the infected apps have been able to fool users is that on the Android platform, “the security model is pretty much all-or-nothing on permissions,” he told TechNewsWorld.
“When you install an app, it will ask for access to the network, or your contacts, or any of several other kinds of resources — and commonly, you can’t install the app without agreeing,” Purtilo said.
“Sometimes what it asks for can raise a red flag. Why would a flashlight app need your contact lists? But unfortunately, the rationale for an app needing some service might not be clear, so even experienced users become lulled into agreeing without thinking,” he added. “They just trust the source — Google Play, in this case.”
Google so far has responded in the only way it can — by removing the infected apps from Google Play. However, given that some of these guides date back to early November, it appears that the company clearly failed to protect its customers.
“This is nasty, and maybe the best thing ever to happen for BlackBerry in recent memory,” said Rob Enderle, principal analyst at the Enderle Group.
“The reason is that FalseGuide is designed to provide elevated permissions for the external attacker, and automatically install additional malware modules including rootkits,” he told TechNewsWorld.
“Currently, only the Blackberry Android phones are designed to aggressively prevent this kind of attack,” Enderle said.
This malware “does represent a significant threat,” he added, “because the phones can then be used to convey user identity information and execute DDoS attacks — and could even be used to spy on users’ activity using the phones’ cameras and microphones.”
Rootkit of the Problem
At this point there may be little users can do except reset their devices and be more cautious of what they download. However, those steps might not be enough to purge the malware.
“Since this thing can apply a rootkit to your phone, even going back to the original settings by doing a full phone wipe may not eliminate the malware, so this could cost you a phone,” warned Enderle.
“These users are pretty well compromised now,” said Purtilo.
“It’s a little awkward that this went undetected for so long at Google Play,” he noted, “and in the ongoing cat-and-mouse game between creation and detection of digital pests, the malware creators still hold a strong lead. This won’t change until we come up with more effective ways to help consumers make rational choices about what we agree to run on our devices.”
The problem in part is loss of trust — especially as people expect Google Play to be vetted and safe, so their guard will be down. This is why some might not have caught on that a guide shouldn’t need administrator rights.
“This serves as a reminder to read the rights that every app asks for,” said Enderle.
“If those rights don’t align with what the app does — for instance, why would a guide need your contact list? — or if the app asks for admin rights don’t install it,” he advised.
“Given this is getting through Google vetting, and Apple doesn’t talk about stuff like this,” said Enderle, “it kind of makes you wonder if there is something similar on Apple phones that we either haven’t discovered yet or that hasn’t launched yet, suggesting that even Apple owners should keep their eyes open for this kind of an attack.”
Thanks for sharing this information! I have seen app submissions from both the iOS side and the Android side and have always been amazed at the ease in which an app passes through Android app submission, vetting and then on to the PlayStore. This article makes me wonder: are the days of easy app submission and analysis almost over. I have read before that Google has an uninstall switch that they can implement. Should this be one of those instances?