These apps – detected by ESET as Android/Fasurke – were available on the Google Play store for over four months. Despite receiving a considerable number of negative reviews, they reached hundreds of thousands of downloads. Upon ESET’s notification, the Android security team removed all the apps from the store.
“Even though the apps no longer pose a risk for Android users, it’s still worth disclosing exactly how they worked, as sooner or later, similar malicious apps may appear on Google Play store again,” said ESET Security Researcher Lukáš Štefanko, who discovered the malicious apps.
In the most common scenario, the app required users to enter their personal information and select the amount of followers they wanted to gain. However, after pressing the button “Start Generating”, the user was presented with a so called human verification step.
However, this was only a cover up used to draw users into endless offerings of gifts, coupons and free services, as well as requests for personal information such as name, email, address, telephone, date of birth and gender. They were also asked to provide consent to receive telesales calls and text messages, some of which were premium-rated SMS subscriptions costing the victim approximately 4.8 EUR per week.
“The only purpose of all those surveys, ads, offers, rewards, wining prizes, gift coupons and other cheap marketing tricks is to milk as much information and money from the follower-hungry users as possible,” warns Lukáš Štefanko.
In order to keep safe from bogus and other harmful apps, Android users should follow security best practices recommended by ESET experts:
- If possible, stick with Google Play or other reputable app store. These markets might not be completely free from malicious apps but you have a fair chance of avoiding them.
- Prior to installing any app, check its ratings and reviews. Focus on the negative ones, as they often come from legitimate users while positive feedback may be crafted by the attackers.
- Facing sensational offers, keep in mind the golden rule "If it seems too good to be true, it probably is".
- If they offer you half a million of followers for free, with a single click - or after completing a survey - they will probably not be able to deliver.
- Think twice when entering your personal information, giving consent to something or ordering goods or services. Be sure absolutely sure about what you receive in exchange.
- Invest a small amount of effort in getting know who you are about to do business with.
- Use a quality mobile security solution; it’s crucial to protect all your devices so you might wish to use a multi-device security pack.
More information about these bogus apps can be found in Lukáš Štefanko’s article on ESET’s official IT security blog, WeLiveSecurity.com.