In the past, cyber-criminals have targeted businesses, hospitals, and governments; today, we’ve seen them begin to focus on games and apps intended for children.
Check Point Researchers have revealed nasty malicious code on Google Play Store that hides itself inside roughly 60 game apps, several of which are intended used by children.
According to Google Play’s data, the apps have been downloaded between 3-million and 7-million times.
Dubbed ‘AdultSwine’, these malicious apps wreak havoc in three possible ways:
* Displaying ads from the web that are often highly inappropriate and pornographic.
* Attempting to trick users into installing fake ‘security apps’.
* Inducing users to register to premium services at the user’s expense.
In addition, the malicious code can move laterally within the infrastructure of the phone, opening the door for other attacks such as user credential theft.
Once the infected app is installed on the device, it waits for a boot to occur or for a user to unlock their screen in order to initiate the attack. The attacker then selects which of the above three actions to take and then display on the device owner’s screen.
The malware is able to cause pornographic ads (from the attacker’s library) to pop up without warning on the screen over the legitimate game app being displayed.
Another course of action the malware pursues is scaring users into installing unnecessary and possibly harmful “security” apps.
First, the malware displays a misleading ad claiming a virus has infected the user’s device.
Upon selecting the ‘Remove Virus Now’ call to action, the user is directed to another app in the Google Play Store posing as a virus removal solution.
The “virus removal solution” is anything but — it’s another malware.
Another technique used by the malicious malware is registering to premium services and charging the victim’s account for fraudulent premium services they did not request. In a similar way to the scareware tactic presented above, the malware initially displays a pop-up ad, which attempts to persuade the user to register for this service.
This time however, the ad claims that the user is entitled to win an iPhone by simply answering four short questions. Should the user answer them, the page informs the user that he has been successful, and asks him to enter his phone number to receive the prize. Once entered, the ad itself then uses this number to register to premium services.
Upon being advised of our findings, Google collaborated with Check Point Research, took prompt action to remove affected apps from Play, disabled the developers’ accounts, and will continue to show strong warnings to any users that still have the apps installed.
The scareware “virus removal solution” was suspended from Google Play for using inappropriate marketing tactics to drive installs.
