Do you completely trust mobile applications available on the official app store like Google Play? If your answer is yes, you’re wrong.
ESET security researcher Lukas Stefanko has discovered 30 malicious apps uploaded to the Google Play store over nine months, the bogus apps pretend be Minecraft cheats and tip guides. This kind of attack is very dangerous due to the large audience of the official Google Play, in the specific case Stefanenko confirmed that nearly 2.8 million users have already downloaded malicious Minecraft Android apps. The malicious Minecraft Android apps aren’t trojanized version of a legitimate app, they simply are empty applications that display victims banners to notify them the presence of “high-risk” threat. Users were then directed to remove to remove the threat by activating a premium-rate SMS subscription.
“All of the discovered apps were fake in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a ‘dangerous virus’,” Stefanko says. “Users were then directed to remove viruses by activating a premium-rate SMS subscription that would cost them €4.80 per week.
The data related to the download of the malicious Minecraft Android apps are worrying, since the first upload of one of the scareware on the Google Play store in August 2014, several of them were installed between 100.000 – 500.000 times.
“… several of them were installed between 100,000 and 500,000 times and the total number of installations of all 33 scareware applications lies between 660,000 and 2,800,000.” Stefanko added.
The banner is triggered by any user interaction with the fake Minecraft Android app, by simply clicking the Start, Options, and Exit buttons, an alert window popping up, informing victims of the presence of a malware and provide suggestions on how to remove it.
“Clicking on the alert leads to another step of the scam – several websites with more scareware messages. One of these websites tries to appear as if they belonged to the legitimate AV vendor, G-Data.” states Stefanko.
The last step of the scam sees the scareware preparing an SMS in the system default SMS application. The text of the SMS used by scammers mentions an activation of the antivirus product. The application does not have permissions to send the SMS itself and solely
Be aware because the malicious Minecraft Android apps don’t have permissions to send the SMS so the authors relay in tricking the victims to do it manually with a social engineering technique. The cost for the SMS premium service is 4.80 € per week, not too bad if we consider the number of potential victims.
Unfortunately, it is not simple to avoid similar incidents, Google’s Play Store adopts an anti-malware Bouncer framework to avoid the publication of malicious applications and integrated it with manual review done by human operators. In same cases to avoid this checking mechanism, bad actors upload benign applications and later push malicious updates.
(Security Affairs – Malicious Minecraft Android apps, malware)