Almost two million Androids infected by FalseGuide malware, masquerading as game guides

Not the first botnet-based badware to be found on Google Play…

Almost two million Androids infected by FalseGuide malware, masquerading as game guides

A malware family known as FalseGuide masqueraded as game guides on Google Play to infect nearly two million Android devices.

Mobile threat researchers spotted the malware hiding in more than three dozen guide apps available for download on Google's Play Store. Some of these apps had been around since mid-February 2017. Several of the affected programs boasted more than 50,000 installations at the time of discovery.

Falseguide 415x1024

An app containing FalseGuide malware on Google Play. (Source: Check Point)

Why gaming guides, you might ask? Check Point's Oren Koriat, Andrey Polkovnichenko and Bogdan Melnykov have the answer:

"FalseGuide masquerades as guiding apps for games for two major reasons. First, guiding apps are very popular, monetizing on the success of the original gaming apps. Second, guiding apps require very little development and feature implementation. For malware developers this is a good way to reach a widespread audience with minimal effort."

FalseGuide is similar to other Android malware like DressCode (and its successor MilkyDoor) in that it seeks to build a botnet of compromised devices. It collects a new victim by obtaining admin privileges from the device owner, superuser rights which it uses to avoid deletion by the user. It then registers itself to a Firebase Cloud Messaging topic, thereby allowing the fake app to receive messages containing links to additional modules.

One add-on allows FalseGuide to display out-of-context pop-up ads. Others could leverage the overall strength of the botnet to launch distributed denial of service (DDoS) attacks and penetrate private networks.

Clearly, mobile botnets will continue to surface on Google's Play Store. With that in mind, users should protect themselves by reading the reviews of any app before they install it, including programs found on the Play Store. These comments usually disclose suspicious behavior.

If users decide to install an app, they should review its permissions carefully before they finalize the download process. There's no reason an app like a game guide requires admin permissions. Not now. Not ever.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

No comments yet.

Leave a Reply