Online scammers are always seeking to trick victims into paying money. Sports betting is a common lure for online scams to attract those who enjoy the thrill of gambling on sports. Usually these scammers use email or SMS messages to invite careless victims to such services. McAfee Labs has recently found many suspicious Android apps on Google Play that try to trick Korean users into registering on the scam websites. The apps claim to be part of a Google-powered service, but this is just a lie, of course.
Figure 1: Examples of the sports betting scam apps found on Google Play.
After launch, the app shows a login screen with a Google logo that claims to be “Google Sports Betting,” which is certainly not provided by Google. A user can “sign up” with the service by providing username, password, nickname, mobile phone number, email address, bank name, bank account number, and so on. The site has a page for users to pay to use its betting feature, but there is no description about the site owner or operating company on the site. Would a legitimate sports betting service disguise itself as a Google service? There’s no doubt that this is a scam site.
Figure 2: The scam service’s login screen and main screen of the app.
To our surprise, the bold app developer illegally employs the Google logo and copyright notice on the description page on Google Play. This step easily suggests a malicious scam app at first glance.
Figure 3: The scam uses screens with the Google logo and copyright notice.
In our investigation, we found some apps disguised as a Google service and others not, but they all share almost identical application code and website structure. The apps simply load the existing scam sites, which are hosted on the same or other servers. The scammers also offer sites to trap desktop PC users. Thus the potential victims are not limited to Android users, but also include users of PCs and other mobile devices.
Figure 4: The PC version of the scam sites disguised as”Google Sports Betting.”
We have discovered more than 30 apps of this kind on Google Play. The total download count stands between 13,000 and 45,000. We have also found many other sites hosting similar services with almost the same site structure, under the same or different server domains.
The actual damage depends on how users spend their time and money on these services, but at the least the scammers get personal information such as mobile phone number and perhaps email address, bank name, and bank account number. Some careless users might have also provided their Google account usernames and passwords on the service’s Google “login screen.” Any login attempt to the real Google account fails, but the information can be stored on the malicious service.
Sports fans, especially those who are looking forward to the upcoming FIFA World Cup in June, should be careful about this kind of sports betting scam. Don’t believe that Google will offer such a fantastic gambling experience for you.
McAfee Mobile Security detects these suspicious apps as Android/ScamBet.A, and also blocks browser access to the related sites.