April 27, 2017 by

FalseGuide Botnet Malware Hits 2 Million Android Devices

Security researchers have discovered and revealed details about ‘FalseGuide’, a new strain of malware that resides among applications on Google’s official app store, Google Play.

Researchers at Check Point have discovered at least 45 Google Play store apps, typically those that provide guides and walkthroughs for mobile games, to contain the malware. Cumulatively, these apps have been downloaded onto nearly 2 million Android phones and tablets over the past year.

While initial investigations pointed to 600,000 infected devices with the oldest compromised app uploaded to Google Play in February this year, subsequent research revealed that the apps have been around since late 2016. Updated estimates confirmed nearly 2 million infected users.

FalseGuide seeks a ‘device admin permission’ upon installation, entirely unusual for a game guide application. Armed with admin privileges, the malware avoids deletion by the user. From here on in, the malware proceeds to hijack the device before adding it to a botnet of similarly infected devices. The bots can be used for a number of purposes including anything from displaying pop-up ads that contain malicious code to sweeping DDoS attacks on targets.

The researchers wrote:

Depending on the attackers’ objectives, these modules can contain highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks.

FalseGuide, as the name suggests, masquerades as a guiding app due to the popularity. They are easy to develop and they’re known to capitalize on the success of gaming apps.

The malicious apps were submitted to the Google Play store under the fake names of two developers – Sergie Vernik and Nikolai Zalupkin, the latter who is a Russian speaker. The names also suggest a Russian connection to the malware.

While Google has removed the malware from the store after being notified by the researchers, multiple new malicious applications have since been uploaded to Google Play containing the same malware. Check Point researchers have notified Google of the malware-laden apps again.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Security Researchers Uncover ‘World’s Most Powerful Android Spyware’

Security researchers at Kaspersky have uncovered a new form of Android spyware with capabilities...

Read more arrow_forward

47 Million Emails/Day: Necurs Botnet Launches Massive Ransomware Campaign

A cybersecurity firm has revealed it has blocked as many as 47 million emails per day spewed by the...

Read more arrow_forward

This Android CryptoMining Malware is Capable of Destroying Android Phones

Cybersecurity researchers have discovered a “jack of all trades” cryptocurrency mining malware...

Read more arrow_forward