Game Apps in the Gooogle Play Store, including some geared towards children, could be hiding malicious codes. According to a report by Check Point, the code hides in roughly 60 game apps, and has been downloaded between 3 million and 7 million times.
Dubbed ‘AdultSwine’, these malicious apps works in three ways:
- Displaying ads from the web that are often highly inappropriate and pornographic.
- Attempting to trick users into installing fake ‘security apps’.
- Inducing users to register to premium services at the user’s expense.
In addition, the malicious code can be used to open the door for other attacks such as user credential theft.
Once the malicious app is installed on the device, it waits for a boot to occur or for a user to unlock their screen in order to initiate the attack. The attacker then selects one of the three actions, then displays it on the device owner’s screen.
Most concerning to the researchers is the malware’s ability to cause pornographic ads (from the attacker’s 3rd party library) to pop up without warning on the screen over the legitimate game app being displayed.
Another route the codes use is scaring users into installing unnecessary and possibly harmful “security” apps. Through displaing a misleading ad claiming a virus has infected the user’s device, the ad give users the option to ‘Remove Virus Now’ with a click. The user is directed to another app in the Google Play Store posing as a virus removal solution – which turns out to be a fake app.
Another technique used by the malicious app is registering to premium services and charging the victim’s account for fraudulent premium services they did not request. In a similar way to the tactic presented above, it displays a pop-up ad, which attempts to persuade the user to register for this service.
This time, the ad claims that the user is entitled to win an iPhone by simply answering four short questions. Should the user answer them, the page informs the user that he has been successful, and asks him to enter his phone number to receive the prize. Once entered, the ad itself then uses this number to register to premium services.
Google has now collaborated with Check Point Research, and took action to remove affected apps from Play, disabled the developers’ accounts, and will continue to show strong warnings to any users that still have the apps installed. The scareware “virus removal solution” was suspended from Google Play for using inappropriate marketing tactics to drive installs.
Due to the pervasive use of mobile apps, ‘AdultSwine’ and other similar malicious apps will likely be continually repeated and imitated by hackers. Users should be extra vigilant when installing apps, particularly those intended for use by children. Check Point advise parents to verify that apps used by their children are categorised as “Designed for Families” on Google Play.
