Trend Micro researchers notified Google that 36 malicious apps on Google Play are posing as security tools.
The malicious apps were advertised under names such as Security Defender, Security Keeper, Smart Security, Advanced Boost, and other cybersecurity sounding names, but their true purpose was to steal user information and bombard them with ads, according to a Jan. 3 blog post.
Many of the apps boost a variety of features such as scanning, cleaning junk, saving battery, cooling the CPU, locking apps, as well as message security, and WiFi security. While the apps are actually able to perform the advertised tasks, they also secretly harvest user data, tracked user location, and aggressively pushed advertisements on nearly every action a user performs.
The apps collect information such as the user's Android ID, Mac address, IMSI, information about the OS, brand and model of the device, device specifics, language, location information, and data on installed apps like Google Play and Facebook to sends to a remote server. The malware is also capable of uploading installed app information, as well as attachments, user operational information, and data on activated events as well.
When the apps are first launched they won't appear on the device launcher's list of applications, shortcuts will also not appear on the device screen and users will only be able to see notifications sent by the apps.
The “hide” function is designed to not run on specified devices including the Google Nexus 6P, Xiaomi MI 4LTE, ZTE N958St and LGE LG-H525n, presumably to avoid being checked by Google Play during inspection periods, researchers said.
Once installed, users are bombarded with false security notifications and other messages from the malware while the app is running. Most of the notifications are false although they are designed to be believable. Notifications include“10.0 GB files are being wasted” or “Fraud SMS Broadcast Vulnerability” which will prompt some kind of action.
If a user clicks the displayed button on the prompt the app will show a simple animation illustrating that the problem was resolved. In addition to the security prompts, users are bombarded with different advertisements in many different scenarios such as after the app sends notices to unlock the device screen or if the user is told to connect to a charger.
“Users are actually asked to sign and agree to a EULA (end-user license agreement) which describes the information that will be gathered and used by the app,” researchers said in the report. “But we can still say that the app abuses privacy because the collection and transmission of personal data is unrelated to the functionality of the app.”
Researchers spotted the malicious apps in December 2017 and said the apps have since been removed by the time the blog was written. In order to secure and protect devices, researcher recommend users keep their devices updated, download apps from trusted sources and check reviews or comments on app pages to ensure the apps are legitimate regardless of the source.