As many as two million Android phone users may have downloaded FalseGuide, a malware hidden inside several apps which served as gaming guides.
FalseGuide obtains admin access to Android phones and then downloads additional modules to root a device, conduct a DDoS attack or penetrate private networks.
Security firm Check Point discovered as many as six gaming guide apps which contained FalseGuide and were developed by Russian hackers. These apps were made available on the Google Play Store in November last year and have since been downloaded by over two million users without being discovered.
Check Point had initially located 40 such infected apps on the Play Store, several of which had notched up more than 50,000 installs. Upon being informed, Google booted those apps from the store but Check Point recently found out that two new malicious apps have entered the Play Store again, and informed Google again.
"The malware uses the admin permission to avoid being deleted by the user, an action which normally suggests a malicious intention. The malware then registers itself to a Firebase Cloud Messaging topic which has the same name as the app," noted Check Point researchers in the firm's official blog.
"Once subscribed to the topic, FalseGuide can receive messages containing links to additional modules and download them to the infected device. After a long wait, we were able to receive such a module and determine that the botnet is used to display illegitimate pop-up ads out of context, using a background service that starts running once the device is booted. Depending on the attackers’ objectives, these modules can contain highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks," they added.
The researchers have advised Android phone users not to rely on the Google Play Store for security from malicious apps. Instead, they must implement additional security measures like using mobile antivirus apps. This is because mobile botnets have been growing 'in both sophistication and reach' and hide behind seemingly harmless guide apps which are very popular and require little development.
Back in 2015, researchers at security firm FireEye discovered a new malware named Kemoge which lurked in unofficial app stores and mimicking popular apps by using their titles and repackaged icons. The malware was used by its creators to access root privileges, harvest mobile data from Android devices, connect to a server and install, uninstall, download and launch designated apps from URLs provided by the server. Following its discovery, security firms began a campaign on a war footing to stop people from download apps from unofficial app stores.
Last year, researchers at Check Point revealed that while there was a slight drop in malware count in the summer, the prevalence of mobile malware increased 50 per cent from June to make up nine per cent of all malware. “Businesses should not be lulled into a false sense of security by the slight drop in the number of active malware families during July. The number of active families still remains at near-record levels, highlighting the scale of the challenges businesses face in securing their network against cyber criminals," said Nathan Shuchami, head of threat prevention at Check Point.