Carlos Castillo is a mobile malware researcher at McAfee, where he specializes in the analysis of mobile threats and ...
In recent years one of the most prevalent malware threats for PCs (and lately Mac users) is fake-antivirus software, which pretends to be a legitimate security program. Its real purpose is to charge victims a fee to remove a nonexistent threat. The same threat has now been ported to mobile devices. In some cases we see the same or similar behavior: getting revenue from users via SMS messages to a premium-rate number or malware that poses as security software to encourage users to install a malicious app (such as Android/Zitmo.F).
Recently 17 suspicious applications, uploaded by the developer thasnimola, were found in the official Google Play market:
Most of them use a shield as an icon to show that they could be related to “protection” software but some of them also use non-AV names and descriptions with popular keywords like “free,” “Video Downloader,” “Call recorder,” and “sms” to attract users’ attention and encourage the installation of the app. One interesting app is Top Free, which claims “Fast and lightweight malicious app protection for your phone.” Looking at this one further, it is clear that Top Free pretends to be AV software because it uses the screenshots of legitimate AV software as its own:
Some of them also use an “Antivirus FREE” banner on the app’s web page:
However, unlike fake-antivirus software threats for PCs and Macs, these applications do not gain revenue from users by detecting nonexistent Android malware. Instead, these apps make money using a more legitimate method: advertisements. All the suspicious apps were created using the same free online service used to create the Android/DIYDoS hack tool. For this reason the behavior is nearly same: When the application is executed, a WebView component shows the contents of a URL that is stored in an XML file inside the res/raw folder:
One difference between these apps and Android/DIYDoS is that these include an advertisement module–provided by the online service–that creates the applications which send sensitive device information (IMEI, GPS coordinates) to a remote server:
Here is the complete list of the unwanted applications that we reported to Google:
|App Name||Package||Installs (Google Play)|
|send free sms||com.wPhotoscapeyy||100-500|
|hissam sms collections||com.wcall||100-500|
|top free sms||com.wcopywap5||10-50|
|free message sender||com.wcopywapphoto||10-50|
|free call recorder||com.wfreecallrecorder||N/A|
|youtube video downloader||com.wvideo9||N/A|
All of these have already been removed from Google Play. If you have enabled detection for potentially unwanted programs (PUPs, our default setting), then McAfee Mobile Security for Android will detect these apps as Android/DIYAds.