Security Firm Sounds Alarm On These Fraudulent Android Rewards Apps On Google Play

An angry looking Android doll in front of an army of Android dolls.
One of the best ways to avoid mucking up your mobile device with malware is to only download and install software from official app stores. However, you still should never let your guard down, even when avoiding the side-loading scene altogether. If anyone needs reminding of this, a security firm is calling foul on several fraudulent rewards apps that have collectively amassed around 20 million downloads from Google Play.

Unfortunately, this is a recurring theme—every so often we write about malicious apps that have managed to infiltrate Google Play, which is supposed to be a safe haven for Android users. Just last month, we reported on malicious apps disguised as rewards apps on Google Play, which had bamboozled 2 million users into infecting their devices.

That seems to be a popular ploy lately. The antivirus folks at Doctor Web (Dr.Web) issued a new report that highlights security threats they discovered on Google Play. Once again, they called to attention "FakeMoney" apps with hidden agendas that outwardly promise enticing rewards.

"These apps make it look as if rewards are accruing for completed tasks. To withdraw their 'earnings', users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments," Dr.Web states.

Such apps come in different forms and guises, most of which issue tokens that users are supposed to be able to convert into real money. The least sinister among these types of apps issue minuscule rewards for completing gargantuan tasks. But some of them outright evade any chance of collecting a real-world rewards.

Fraudulant rewards apps on Google, according to Dr.Web.
Dr.Web warns against installing these apps that promise rewards for completing tasks

In one example, Dr.Web points to an app called "Lucky Step-Walking Tracker" that draws users in by promising the ability to convert earned tokens into online gift cards. That app attracted 10 million downloads on Google Play.

"However, with the release of the app’s update, the developers removed the functionality for converting rewards into real money by getting rid of the corresponding interface elements. As a result, all previously accumulated rewards became useless numbers," Dr.Web says.

Others are downright malicious, in that they contain malware and sneakily sign victims up for paid subscription services. Whatever the case, it's best to avoid these kinds of apps. In addition to the "Lucky Step-Walking Tracker" app with 10 million downloads, two others that stood out to Dr.Web include WalkingJoy" (5 million downloads) and "Lucky Habit: health tracker" (5 million downloads).

These appear to ping the same remote server, suggesting a single malicious outfit or developer. The security report also calls attention to a bunch of phishing apps disguised as games and investments apps. Some of them only have around 5,000 downloads to date, though others accumulated 100,000 downloads. Check out Dr.Web's report for the full list and if you spot any apps you've already installed, you should nuke them ASAP.