Watch out – this Android malware has been installed millions of times already

Half a dozen Android apps, pretending to be utility services, have been scamming users and earning the developers advertising revenue, cybersecurity researchers have claimed.

The apps have managed to fool quite a number of people, having apparently been downloaded more than two million times.

Google has since removed all of them from the Play Store, but users are still being warned to be on their guard.

Malicious Android apps

The Dr. Web antivirus team discovered a total of five apps whose only goal is to trick people into downloading them and then serve them ads for as long as possible. The biggest one, with more than a million downloads, is TubeBox.

TubeBox promises users a cut of the advertising revenue if they sit and watch ads in the app. However, the whole thing is a trick, as when the user tries to redeem the rewards, they’ll conveniently run into different bugs and errors. Even those who somehow manage to work around all of the bugs will simply not get any funds.

Other discovered apps are “Bluetooth device auto connect”, with a million downloads, “Bluetooth & Wi-Fi & USB driver”, with 100,000 downloads, “Volume, Music Equalizer” with 50,000 downloads, and “Fast Cleaner & Cooling Master”, with some 500 downloads.

The apps don’t serve just any ads – a Firebase Cloud Messaging account serves as a C2 server and instructs the apps which websites to load.

Some apps, such as the “Fast Cleaner & Cooling Master”, could also be used as a proxy server, the researchers found. With a proxy, the threat actors could channel their traffic through the infected endpoint.

Just because an app sits on the Google Play Store, does not make it secure by default. Although Google’s defense mechanisms are formidable, threat actors are always looking for new ways to squeeze fraudulent apps into the popular app repository, and succeed every now and then. To protect against such apps, always make sure to read through the reviews, as other users could be warning about the fraud, as well.

Via: BleepingComputer