These 8 Android Apps on Play Store Contain Android/FakeApp Trojan

These 8 Apps on Google Play Store Contain Android/FakeApp Trojan

Article updated on Tuesday, November 19 with statement from Google.

Eight Android apps on the Google Play Store, downloaded by millions, contain the Android.FakeApp trojan, stealing user data – Here’s the complete list, delete the NOW!

Russian cybersecurity firm Dr. Web has exposed several Android apps on the Google Play Store that contain a sophisticated trojan, Android.FakeApp.1669 (also known as Android/FakeApp).

These apps, which claim to provide practical functions like financial tools, planners, and recipe books; contain a hidden payload that redirects users to unwanted websites, compromising their data. What’s worse, more than 2 million users have downloaded these infected apps from Google Play, unaware of the threat.

Malware on the official Google Play Store is nothing new. In fact, reports from last month indicate a rise in malicious apps on both the Apple App Store and Google Play Store.

One of the infected apps, with over 1 million downloads, has recent user comments expressing frustration with its functionality (Screenshot credit: Hackread.com).
One of the infected apps, with over 1 million downloads, has recent user comments expressing frustration with its functionality (Screenshot credit: Hackread.com).

Android.FakeApp.1669

Android.FakeApp.1669 is part of the Android.FakeApp trojan family, a group of malware that usually redirects users to different websites, disguised as legitimate apps. However, this variant is especially notable due to its reliance on a modified dnsjava library that allows it to receive commands from a malicious DNS server, which, in turn, supplies a target link. Rather than the app’s advertised function, this target link is displayed on the user’s screen, often pretending to be an online casino or an unrelated website.

According to Dr. Web’s report, the malware activates only under specific conditions. If the infected device is connected to the Internet through designated mobile data providers, the DNS server will send a configuration to the app, containing a link that loads within the app’s WebView interface. When not connected to targeted networks, the app functions as expected, making detection difficult for users.

In January 2018, the Android.FakeApp trojan was first discovered in a fake Uber app for Android. Later, in March 2018, the same malware targeted Facebook users to steal data. In May 2020, a fake mobile version of the game Valorant was spreading the Android.FakeApp trojan just as the official version was set to release that summer.

Infected Apps and Download Counts

These apps claimed to be useful tools, from personal finance and productivity applications to cooking and recipe collections. However, once launched, the apps would connect to the DNS server to retrieve a configuration containing the website link to display.

Dr. Web’s investigation revealed several apps on the Google Play Store, some with high download counts, infected by Android.FakeApp.1669. While Google has removed some of these apps, millions of users had already installed them before the removal. Below is a list of apps identified by Dr. Web’s malware analysts, with their respective download counts:

App NameNumber of Downloads
Split it: Checks and Tips1,000,000+ (On Google Play at the time of writing)
FlashPage parser500,000+ (On Google Play at the time of writing)
BeYummy – your cookbook100,000+ (On Google Play at the time of writing)
Memogen100,000+ (Deleted)
Display Moving Message100,000+ (On Google Play at the time of writing)
WordCount100,000+ (On Google Play at the time of writing)
Goal Achievement Planner100,000+ (On Google Play at the time of writing)
DualText Compare100,000+ (On Google Play at the time of writing)
Travel Memo100,000+ (Deleted)
DessertDreams Recipes50,000+ (On Google Play at the time of writing)
Score Time10,000+ (Deleted)

How Android.FakeApp.1669 Operates

Once downloaded, the trojan gathers specific data from the user’s device, such as:

  • Screen size
  • Device model and brand
  • Battery charge percentage
  • Developer settings status
  • Device ID, which includes the installation time and a random number.

This data, coded into a unique sub-domain name, allows the server to customize its response to each infected device. When the device meets the connection criteria, Android.FakeApp.1669 retrieves and decrypts data from the DNS server, eventually loading a link that redirects to an unwanted website, typically an online casino.

The decryption process involves reversing and decoding Base64 data and decompressing it, revealing sensitive configuration details.

Google’s Response

Hackread.com contacted Google, and a spokesperson confirmed that all the mentioned apps have been removed from the Play Store.

“All of the malicious versions of the apps identified by this report have been removed from Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behaviour, even when those apps come from sources outside of Play.”

A Google Spokesperson

Recommendations for Users

Given the high download count, Android users should take immediate steps to protect themselves. First, it’s crucial to delete any infected apps. Uninstall any app from the list provided or other similar apps that display suspicious behaviour to minimize potential security risks.

Additionally, read the comments on these apps; many users have left negative reviews, noting that the apps spam ads and cause their devices to freeze, a behaviour that allows the malware to operate in the background.

Next, use trusted security software, regularly checking app permissions is another vital step. Users should review the permissions requested by apps, avoiding any unnecessary access that could compromise device security. Additionally, updating both the device and applications frequently can help prevent certain types of malware infections, as updates often include important security patches.

Nevertheless, download with caution, even when using official sources like Google Play. Reviewing app permissions and reading user feedback before downloading can help spot potential red flags and avoid risky apps.

  1. First Mobile Crypto Drainer on Google Play Steals $70K
  2. Spyware Found in Google Play Store Apps, 2m Downloads
  3. Malware infected Minecraft modpacks hit Google Play Store
  4. 35 malicious apps found on Google Play, installed by 2m users
  5. Google Removes Swing VPN Android App Exposed as DDoS Botnet
Total
0
Shares
Related Posts