These apps disguised themselves as pertaining to sports, news, utilities and games, but in fact were fronts for gambling and pornography apps. These Potentially Unwanted Apps (PUA) had well-known brand names such as Norton Antivirus, Grindr updates and Tinder Dating News but if downloaded either lead the user to a different site or to the brand’s actual app, but have install malware so the malicious actors can display different content at a later date, Symantec wrote.
Because the app is fully under control of the attacker it could allow them to place a cryptominer or phishing websites on the victim’s phone.
All of the fake apps seemingly were put in place by the same person or group.
“We analyzed the samples and found that they all call https://myservicessapps[DOT]com/firebase/[PHP Name]?app=[APP ID] to get the configuration for the current application, where the app can parse the style and specified URL by the “red_ph” value in the configuration,” Symantec wrote, adding all had a similar file structure.
Microsoft was notified of the problem and some of the apps have been remove, but Symantec noted some are still available for download.