ESET researchers have analysed a newly discovered set of apps on Google Play, Google’s official Android app store, that pose as security applications. Instead of security, all they provide is unwanted ads and ineffective pseudo-security.
According to AV-Comparatives, an independent testing organisation, there are significant differences in the level of protection provided by mobile security solutions. However, even the poorest of them are still far better than questionable apps that impersonate security applications in order to display ads to users. Thirty-five such applications have recently been discovered in the Google Play official Android app store.

These ads have flown under the radar for years, with Google Play statistics showing a minimum of over six million installs, cumulatively. However, not all those were necessarily real installations: it’s a common practice to make fake downloads by bots that subsequently post positive reviews and improve their respective app’s ratings.

All 35 apps have been flagged by ESET and removed from the store.

On top of annoying their victims with ads, disguising these apps as security software has some serious negative side effects, too. In mimicking basic security functions – in fact, they all act as very primitive security checkers relying on a few trivial hardcoded rules – they often detect legitimate apps as malicious. And last but not least, they create a false sense of security in the victims, which might expose them to real risks from malicious apps that are not detected as such.

ESET’s analysis has shown that among these 35 apps, only a handful stand out for their specific features: one app is not completely free as it offers a paid upgrade; one app has implemented a primitive, easily bypassed, app-locker manager; another app flags other apps from this group as dangerous by default; and finally, one misuses ESET’s branding.

In order to stay under the radar, all the shady ad-displaying apps mimic actual mobile security solutions. However, their ‘detection mechanisms’ are incomplete and very primitive , which makes them easy to bypass and prone to false positives.

ESET’s research into these questionable apps has shown that their ‘detection mechanisms’ can be divided into four categories. These mechanisms are identical or almost identical across the whole set of apps.

* Package name whitelist & blacklist – These whitelist features popular apps such as Facebook, Instagram, LinkedIn, Skype and others. The ‘blacklists’ contains far too few items to be considered security functionality at all.

* Permission blacklist – All apps (including legitimate ones) are flagged if they require some of the listed permissions that are considered dangerous, such as send and receive SMS, access location data, access the camera, etc.

* Source whitelist – All apps but from the official Android store, Google Play are flagged – even if they are completely benign.

* Activities blacklist – All apps that contain any of the blacklisted activities: that is, parts of applications. This mainly concerns some ad-displaying activities.