Blog
Vaibhav Billade

Alert! 27 apps found on Google Play Store that prompt you to install Fake Google Play Store

August 19, 2019
0
Estimated reading time: 5 minutes

Quick Heal Security Lab spotted 27 malicious apps of dropper category on official “Google Play Store”. These apps have been removed from Play Store after Quick Heal Security Lab reported it to Google last week. These apps continuously show installation prompt for fake “Google Play Store”. If any user falls prey to this trap and installs the fake “Google Play Store” app, then his device gets infected by an Adware. The parent apps launch dropped app without any user interaction. On launching, it displays some stored wallpaper and after that, it hides its icon. So user will not be able to identify easily which app is showing the advertisements.

The fake “Google Play Store” remains in device even after its parent app is uninstalled and it keeps on displaying full screen adds at random time intervals. These Apps were published by same developer with name “AFAD Drift Racer”. All these apps belong to free Car Racing Games category.

Fig 1: Malicious dropper apps from Google Play store

After installing and using any of the above apps, the app continuously show an installation prompt of fake Google Play Store. It states that you need to install Google Play Store for gaming purpose. If we cancel the installation prompt, then it shows the pop-up continuously until you install the app. Whereas, in reality, for gaming purpose Google Play Games is required. If any game is not supported by latest version of Google Play Games, then there is a pop-up to update “Google Play Games” and it redirects to play store. Google Play Games never download itself nor gives a pop-up for installation. If we cancel the installation prompt, then it shows the pop-up continuously until you install the app.

On executing the parent app, it launches the dropped app as shown in below image.

Fig.2: Launching dropped package

For making an illusion of genuine Google Play Store app, it uses the similar icon of Google Play Store. Sometimes, it is easy to distinguish between fake and real app based on the icon. 

Fig.3: Dropped app package

After installing fake Google Play Store app, we can see it for few seconds and then it automatically hides its icon. The app keeps on running in background and shows full screen ads till you don’t uninstall it manually.

Showing aggressive ads and making money from them is monetization concept used by malware authors. In this case even if user is not using the app, still full screen ads are shown. This not only degrades user experience but also wastes his time.

Quick Heal Mobile Security detects these apps by detection name “Android.Dropper.F” and the dropped apps by detection name “Android.HiddenAd.A“.

Fig.4: Fake Google Play Store installation prompt and full-screen ads displayed after installation

Follow these steps to check whether a fake Google Play Store is installed on your phone.

  1. Go to Setting-> Apps & notifications OR Settings -> App Manager.

This would change as per your Phone Manufacturer.

Fig 5: Fake Google Play Store

  1. Identify fake Google Play Store as shown below. Genuine Google Play Store app can never be uninstalled and shows option of disable instead.

Fig 6: Fake and original Google Play Store in-app manager

  1. If such a Google Play Store app is found on your phone, you should Uninstall it immediately.

Here is the list of malicious package names with MD5 removed from Play Store:

Package Name MD5
com.cit.cliosport 23f03560eafe72951b1d8a2f955d5771
com.cit.veyron cf4a803f3910f71e106ba23923091c5
com.cit.sls 3720fe03b1f8122abd9c7c69fa906030
com.cit.dodgeram cac14e53952c9f4b1600340106e4a398
com.cit.mustang 3d23fb4a68cca7759e4d38bfa1ac710c
com.cit.viper 651964babc944f4f48ed6dba80848399
com.cit.m3 6f9d7eeec90ac88e6eaf65fbe75eec7c
com.cit.p911 5659db7af3faecb4408462b769dc43df
com.cit.mustang74 460043de1b5d79c55b7e6454e1ade753
com.cit.r8 e68f5c1a0275bc9fb3308033ed19df2c
com.cit.golf cc6f569b5090369b46cf2643f8a14597
com.cit.gam 9ce3a3fca7785b2bab5271fad1477940
com.cit.clio 89077157bf3aab2013b9eb24dc6b40e2
com.cit.m3classic a7ac94bc0e8de4402f2ffc94c6d8ff58
com.cit.supra 7c15dd5f540a706c7094801f1a15874e
com.cit.gt 2351be406094279760df029811738945
com.cit.gallardo b6f40433b44d8d3f7ae11638333ccf45
com.cit.cooper 4a6171812af502131d71f7387b5a3245
com.cit.q7 ca645d622bd26c6804cd21360d95e13c
com.cit.mustang72 0a498c79835247005e1f422619372835
com.cit.skylinegtr 3946517acd5532bf0d2d9efc81563142
com.cit.lancerevo 92c64d6f77d235920e0a7751e6947924


How to stay safe from fake mobile apps

1. Check an app’s description before you download it.

2. Check the app developer’s name and their website. If the name sounds strange or odd, you have all the reasons to suspect it.

3. Go through the reviews and ratings of the app. But, note that these can also be faked.

4. Avoid downloading apps from third-party app stores.

5. Use a reliable mobile antivirus that can prevent fake and malicious apps from getting installed on your phone.

Google Play Store links for Malicious apps reported by QuickHeal

Note: These apps have been removed from Google Play Store by Google last week.

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.cliosport

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.veyron

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.sls

https[:]//play[.]google[.]com/apps/details?id=com.cit.dodgeram

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.gt

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.gallardo

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.mustang

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.supra

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.viper

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.m3

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.f500

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.p911

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.amarok

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.mustang72

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.mustang74

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.q7

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.m3classic

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.gam

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.r8

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.skylinegtr

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.m3sport

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.golf

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.clio

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.gam

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.cooper

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.lancerevo

https[:]//play[.]google[.]com/store/apps/details?id=com.cit.hummer&hl=en

Have something to add to this story? Share it in the comments.

Vaibhav Billade
About Vaibhav Billade
Vaibhav is an Associate Security Researcher at Quick Heal Technologies. He is interested in Reverse Engineering, Malware analysis and...
Articles by Vaibhav Billade »

No Comments, Be The First!

Your email address will not be published.

CAPTCHA Image