Quick Heal Security Labs recently spotted multiple Fake Antivirus Apps on Google Play Store. What’s more alarming, is that one of these fake AV Apps has been downloaded 100000+ times already. These Apps appear to be genuine Anti-virus/virus-removal Apps with names like Virus Cleaner, Antivirus security, etc., but do not have any such functionality. As per our analysis, the main purpose of these Apps is to show advertisements and increase the download count.
These Apps mimic the functionalities of a real Anti-virus App and have functions like “Scan Device for Viruses”. As per our analysis, these Apps don’t have any AV engines or scan capabilities except a predefined list of Apps marked as malicious or clean. This list appears to be static and we haven’t seen it getting updated during our analysis. These Fake AV Apps don’t have any functionalities related to malware scanning or identifying any other security issues. These Apps only show a fake virus detection alert to the user and eventually show advertisements.
Fig.1 – Fake Mobile AV & Virus Removal Apps
The interesting part of these applications is that they detect themselves as High Risk Applications.
Fig.2 – Fake Mobile AV App detecting itself as High Risk Application
All these Fake AV Apps have common functionalities as mentioned below –
The Fake AV App contains predefined package lists, like whiteList.json with few whitelist package names, blackListPackages.json with few blacklist package names and blackListActivities.json with a list of blacklisted activities. This list is used for actual scanning and to show final scan results.
Fig. 3 – Predefined static lists of Whitelisted, Blacklisted Apps and actions
It also contains a list of predefined permissions and uses it to show risks associated with other Apps.
Fig. 4 – Predefined list of permissions
Following code snippet shows that it checks installed package names against the pre-defined static Whitelists. Interestingly, this is the reason why it detects itself as High-Risk Application because its own package name is not present in whitelist.json.
Fig. 5 – Code to parse JSON file
Here is the list of Fake AV Apps reported to Google by Quick Heal Security Labs. Google has removed these Apps from the Play Store now-
Fig. 6 – IOCs
Above applications disguise as “security” or “Antivirus” in their name and do nothing related to Security. As explained above, they work only on a pre-defined static Blacklist/Whitelist of Apps and permissions. This might in-turn harm user’s mobile because they don’t have any capabilities to detect real malware and give a false impression of being protected to the end users. This static set of Blacklist/Whitelist and absence of any update mechanism, confirms that these are Adwares disguised as an Anti-Virus or security related App. The download count of these applications is alarming. This shows how easy it is for a malware author to entice end users into downloading junk Apps.
Quick Heal Total Security for Mobile successfully detects these applications as –
Android.Blacklister.A (PUP) and Android.FakeAV.E (PUP).
While, anything that comes FREE might come across as a temptation for you to buy, remember that FREE can also be FAKE! So, beware that you don’t fall prey to the free security software available on Play Store. Go only for trusted brands like Quick Heal when it comes to guaranteed security of your device.
How to stay safe from fake mobile apps –
1. Check an app’s description before you download it.
2. Check the app developer’s name and their website.If the name sounds strange or odd, you have all the reasons to suspect it.
3. Go through the reviews and ratings of the app. But, note that these can also be faked.
4. Avoid downloading apps from third-party app stores.
5. Use a reliable mobile antivirus (like Quick Heal Total Security), that can prevent fake and malicious apps from getting installed on your phone.