FalseGuide Malware Ensnared 2 Million Android Users In Zombie Botnet Via Google Play

Official app stores are supposed to be safe havens for mobile users to download and install programs and games without fear of mucking up their smartphones and tablets. Unfortunately that is not always the case. Researchers at veteran security outfit Check Point, makers of the popular ZoneAlarm personal firewall, recent detected a new strain of malware on Google Play that seems intent on enlisting the help of unsuspecting users to participate in a botnet.

Dubbed "FalseGuide," the researchers discovered the malware hidden inside more than 40 guide apps for games, the oldest of which was uploaded as early as November 2016. That means it was able to hide for at least five months. Check Point estimates that nearly 2 million users have been infected by FalseGuide, up from the company's original estimate of more than 600,000 infected devices.

Google Play

"Check Point notified Google about the malware, and it was swiftly removed from the app store. At the beginning of April, two new malicious apps were uploaded to Google Play containing this malware, and Check Point notified Google once again," Check Point stated in a blog post.

The malware sneakily creates a silent botnet out of the infected devices. Hackers in remote control of compromised smartphones and tablets have been using the botnet to deliver adware. One of the telltale signs that indicate something is awry is an unusual permission request during installation—compromised apps ask for device admin permission in order to avoid being deleted by the user.

Why masquerade as guiding apps for games? Check Point notes that guiding apps are both popular and require very little development and feature implementation. Those traits allow malware developers to reach a wide audience with not a lot of effort.

Check Point believes the malware has Russian ties based on the names of the two fake developers uploading the malicious apps—Sergei Vernik and Nikolai Zalupkin.

Via:  Check Point
Show comments blog comments powered by Disqus