The Check Point team detected the botnet being used to display unauthorized pop-up ads.
The Check Point team detected the botnet being used to display unauthorized pop-up ads.

A new strain of malware was detected on Google Play that mobile threat researchers at Check Point dubbed FalseGuide and said was hidden in more than 40 guide apps for games.

Game players downloaded the malware from Google's official app store more than 50,000 times and the contagion reached as many as 600,000 devices, according to the report on Check Point's blog.

Check Point notified Google about the malware and it was swiftly deleted from the app store, but two new variants appeared at the beginning of April. Another notification went out, but it was unclear at press time if Google had removed the two new malicious apps.

The malware functions similarly to previous malware discovered on Google Play, such as Viking Horde and DressCode, the researchers said. It links the infected devices into a botnet in order to distribute adware.

What differentiates this malware is how it requests an unusual permission before it's installed – device admin permission, the researchers stated.

"The malware uses the admin permission to avoid being deleted by the user, an action which normally suggests a malicious intention. The malware then registers itself to a Firebase Cloud Messaging topic which has the same name as the app."

Once it achieves a link, the malware can "receive messages containing links to additional modules and download them to the infected device."

The Check Point team detected the botnet being used to display unauthorized pop-up ads. Even worse, the modules delivered "highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks," the researchers said.

The miscreants behind the malware are clever for exploiting guiding apps for games, they added. These apps are enormously popular as complements to widely used games and require little development, thus making them attractive to bad actors looking to distribute malware to a large audience with little effort.

As the apps were submitted with names that appear Russian (though phony), there appeared to be a Russian connection, the report offered.

There are virtually endless ways to alter a malware's code, the Check Point research team told SC Media on Wednesday. To evade most security measures, slight variations are sufficient, as proven by FalseGuide, they said.

"This malware follows in the footsteps of DressCode and other mobile botnets spreading through Google Play. This time, the malware hides its malicious intention by leaving minimal functionality on the app itself and relying on communication with its command and control server for the rest."

The researchers said that they can understand that the attackers are quite sophisticated, but anything else is just speculation.

Regardless, mobile botnets are a growing trend, they said. "They yield great profits to the attackers, and can be used for various purposes, which don't have to be predefined. In addition, the malicious intents stay hidden until a late stage of the attack, allowing the malware to slip into Google Play," the Check Point team told SC.

"The fact that yet another malware spread via Google Play proves once again that users need mobile security solutions to stay protected," they concluded.