Malicious malware impacting reviews and ratings of application


COVID-19 pandemic has confined a big part of the population indoors, doing their work and daily chores online. This has had a direct impact on mobile app usage trends, especially among on-demand mobile apps. Mobile applications have become a necessity for varied purposes, including video conferencing, communicating, attending online classes, streaming services, playing games, ordering food, vegetables, and medicines online.

The Google Play Store and the App Store are loaded with thousands of mobile apps, making it challenging to find the right development company to download the app. App ‘Reviews’ and ‘Ratings’ are one way of figuring out whether the app is worth your time.

But, malicious malware is impacting the reviews and ratings of the applications. Malware authors abuse the accessibility service of mobile devices by downloading apps and creating fake accounts in the name of the users’ email-id connected with the application.  They assign fake reviews and ratings for the application or display ads to fool users with a false promise of removing ads in exchange for 5 Star ratings.

Why ratings and reviews are important for mobile applications?

App reviews and rankings help people choose the most valuable apps and can be the main driver of app downloads. Mobile app reviews matter to improve app store ranking, and also to:

  • Increase app downloads – Higher ratings determine app visibility and authenticity and convince users to install the application.
  • Guide purchasing behaviour – People value the opinion of others and look for their affirmation to make smart decisions which are known as social proof. The more positive social proof you can display, the more likely new users will show interest in your app.
  • Boost conversion rates – When other users respond to reviews, it can help improve your app’s appeal and discoverability. When you respond to comments, it shows you are paying attention to your customers and engaging with them. This can help increase positive reviews and in turn boost conversion rates.
  • Improve product – Play Store recommendation engine mostly features high rated applications. As more positive reviews give a higher rank in search results.


Reviews and ratings are an invaluable source of feedback. Not only are ratings and reviews absolutely necessary to drive the purchase process, but companies are also missing out on sales, profits, and priceless information without them.

Dealing with fake reviews and ratings

App reviews and ratings play a huge role in the success of any application. Considered a big deal on Google Play Store or App Store, reviews or ratings can make or break your app’s future. This valuable asset has caught the attention of malware authors to implement fake reviews and get high rankings in the Play store and more downloads. There are various ways to implement these fake reviews and ratings –

  • Offer some service in exchange for 5 star or positive reviews.
  • Offer advertisement removal in exchange for 5 Star ratings or reviews.
  • Offer next game level or additional bonus points in exchange for reviews or ratings.
  • Accessibility service abuse of mobile device to spread fake reviews.


Let us see one example which offers advertisements removal in exchange for ratings.

We had seen several applications aggressively displaying advertisements to the user. When a user installs such an application on his device and launches the application, it displays advertisements aggressively and fools users with a false promise of removing them in exchange for a 5 Star rating.

These applications trick users into leaving high ratings making them more likely to be downloaded in future.


How it works…

When the user clicks the icon to launch the application an ad-displaying component is loaded. It manifests itself as a fake system screen requiring the installation of “plugin android” as shown in Fig 01.

(Fig 01) 

By clicking the install button, the ad-displaying payload gets installed. The user is notified to activate device administrator rights for the fake “plugin” by another irrevocable screen.

After granting the rights, the user is immediately shown a screen full of ads and continuously asked to rate the app with five stars “to remove all ads”. Cancelling the message will result in even more ads shown on the user’s device, aiming to provoke the user into rating the app next time the prompt is displayed as shown in Fig 02 and 03.

Fig 02 shows a full-screen advertisement of a gaming application.

(Fig 02)


(Fig 03) 


To clean the infected device, it is not enough to uninstall the application user also needs to disable “Device Administrator” rights for the application and uninstall the “plugin android” from the Application Manager as shown in Fig 04, 05, and 06.

(Fig 04)


(Fig 05)


(Fig 06)


OR, one should have trusted AV like “Quick Heal Mobile Security for Android”. It will protect your phone from any such vulnerabilities and protect you from downloading malicious apps on your phone. Quick Heal detects such applications as Android.Hiddad.GEN13670

Implementing fake reviews is also a new way for malware authors to increase cybercrime by taking advantage of the accessibility function of Android to create fake accounts and drop fake reviews.



These Trojan Applications are highly obfuscated and use Google Accessibility Service. Once they get the permissions, the malware can interact with the UI and applications of the user’s mobile device. These applications look like system applications to hide from the user. The application collects information about the user’s device when the user unlocks the device’s screen and send it to the attacker’s servers. The server returns the commands for the application to execute.

The server can send various kinds of commands which application follows:

  • Deactivating Google Play Protect by abuse of accessibility service.
  • Downloads and Open ads displaying applications from Google Play or Third-Party app store without interacting user.
  • Use a legitimate Google account or any social media account to register other applications.
  • Leave reviews on the applications on behalf of the user.
  • Open links received from the remote server in an invisible window and hide from the app menu.


If accessibility service is not given, to gain accessibility services or to request the deactivation of any security option that has not been granted yet, the malware can launch toast messages to try to convince the user to perform certain actions.

Quick Heal detects such malicious applications as Android.Piom.Aa833


How to combat fake review attacks and stay safe?

  • Always download applications from legitimate sources like Google Play and App Store.
  • Learn how to identify fake applications in Google Play Store.
  • It is recommended not to download and install applications only on the basis of reviews and ratings.
  • Read the pop-up messages you get from the Android system before accepting/allowing any new permissions.
  • Be extremely cautious about what applications you download on your phone.
  • Malicious developers spoof original application names and developer names. So, make sure you are downloading genuine applications only. Often application descriptions contain typos and grammatical mistakes. Check the developer’s website if a link is available on the application’s webpage. Avoid using it if anything looks strange or odd.
  • Avoid downloading applications from third-party application stores or links provided in SMSs, emails, or WhatsApp messages. Also, avoid installing applications that are downloaded after clicking on an advertisement.
  • For enhanced protection of your phone always use a good antivirus on your phone like Quick Heal Mobile Security for Android.
Akshay Singla

Akshay Singla

No Comments, Be The First!

Your email address will not be published.