While going online today I cannot help but notice an important post about some “Scammy” applications on Android devices which in fact got Google’s attention leading to them being removed from the Play Store but these applications had already raked up a largesum of downloads totaling 382 millions altogether. But you must’ve missed the news about these dubious applications so it’s high time you delete them from your device before they land you in hot waters.
According to the post, there have been two different teams of researchers to have this mysterious applications uncovered. These applications got pulled down from the Play Store despite raking up as high as 470K downloads.
Trend Micro explained that these applications disguises as being utility applications using names which are unsuspecting such as Rocket Cleaner or LinkWorldVPN.
What Trend Micro however noticed was a similar trend between these applications whereby they secretly connects to a quiet server, downloading thousands of malware right onto your Android device. In fact it’s reported that some of these applications can log into your Facebook or Google Account for ad fraud purposes.
The apps in question include the following:
- Shoot Clean–Junk Cleaner, Phone Booster, CPU Cooler
- Super Clean Lite — Booster, Clean & CPU Cooler
- Super Clean — Phone Booster, Junk Cleaner & CPU Cooler
- Quick Games — H5 Game Center
- Rocket Cleaner
- Rocket Cleaner Lite
- Speed Clean — Phone Booster, Junk Cleaner & App Manager
- H5 gamebox
According to the Trend Micro’s reports and findings, these applications are said to have likely originated from China which once installed gets connected to a server and then do dubious actions such as posting fake reviews and even logging into FB or Google accounts. Additionally, they could get users to unwittingly disable the Play Protect Android malware scanner, among other nefarious acts.
Even though Google had done their part by removing these applications from the Play Store, be sure enough to delete them from your device to be on the safe side.
Another research gotten from Cofense Phishing Defense Center has unravel some other variants of such dubious applications which targets Android devices with unsigned Applications.
According to a new report from the center, this is an effort to infect devices with Anubis, “a particularly nasty piece of malware that was originally used for cyber espionage and retooled as a banking trojan.
“Anubis can completely hijack an Android mobile device, steal data, record phone calls, and even hold the device to ransom by encrypting the victim’s personal files. With mobile devices increasingly used in the corporate environment, thanks to the popularity of BYOD policies, this malware has the potential to cause serious harm, mostly to consumers, and businesses that allow the installation of unsigned applications.”
According to this report, it’s shown that the malicious campaigns are usually presented to users with an Email which includes attachments that are thought of to being an invoice but when the attachment is clicked on to be opened, they are meet with a screen asking them to enable “Google Play Protect” which when activated by clicking on the “Ok” button, the approval simply grants the app a number of secret, very bad approvals — while also, ironically, actually disabling the real Google Play Protect.
Aside that, there are other capabilities which gets activated during this process such as the ability to take screenshots, change Admin settings, record audio, steal contact lists and even lock up your device. That’s seriously a huge problem but this “Ghost” application does more. It’s sort of a “Ransomware” since it has components that does actualize this.
Ars Technica got reports that the ransomware module can be added just through this campaign and can be activated remotely by the attacker whenever they so wish and therefore ceasing everything you own on your device and encrypt until you pay a ransom amount.
Check the Cofense report here for a list of apps this campaign targets (it’s quite a long list). “Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise,” the report concludes.
“With the increased use of Android phones in business environments, it is important to defend against these threats by ensuring devices are kept current with the latest updates. Limiting app installations on corporate devices, as well as ensuring that applications are created by trusted developers on official marketplaces, can help in reducing the risk of infection as well.”
We urge you to always be careful what attachment you open especially from email that are quite unknown to you. Also deleting the aforementioned applications can get your device well cleaned out. Use applications that have the Google Play Protect badge on them.