FalseGuide misleads users on GooglePlay

Is someone trying to build a botnet on Google Play?

Check Point mobile threat researchers detected a new strain of malware on Google Play, Google’s official app store. The malware, dubbed “FalseGuide,” was hidden in more than 40 guide apps for games, the oldest of which was uploaded to Google Play on February 14, 2017. Several of the apps managed to reach more than 50,000 installs, and the total number of infected devices is estimated to reach up to 600,000 devices. Check Point notified Google about the malware, and it was swiftly removed from the app store. At the beginning of April, two new malicious apps were uploaded to Google Play containing this malware, and Check Point notified Google once again.

Similar to previous malware found on Google Play, such as Viking Horde and DressCode,

FalseGuide creates a silent botnet out of the infected devices for adware purposes. A botnet is a group of devices controlled by hackers without the knowledge of their owners. The bots are used for various reasons based on the distributed computing capabilities of all the devices.

FalseGuide requests an unusual permission on installation – device admin permission. The malware uses the admin permission to avoid being deleted by the user, an action which normally suggests a malicious intention. The malware then registers itself to a Firebase Cloud Messaging topic which has the same name as the app. Once subscribed to the topic, FalseGuide can receive messages containing links to additional modules and download them to the infected device. After a long wait, we were able to receive such a module and determine that the botnet is used to display illegitimate pop-up ads out of context, using a background service that starts running once the device is booted. Depending on the attackers’ objectives, these modules can contain highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks.

FalseGuide masquerades as guiding apps for games for two major reasons. First, guiding apps are very popular, monetizing on the success of the original gaming apps. Second, guiding apps require very little development and feature implementation. For malware developers this is a good way to reach a widespread audience with minimal effort. The malicious apps were submitted under the names of two fake developers – Sergei Vernik and Nikolai Zalupkin, suggesting a Russian connection, while the second is clearly (to a Russian speaker) a made up name.

Mobile botnets are a growing trend since early last year, growing in both sophistication and reach. This type of malware manages to infiltrate Google Play due to the non-malicious nature of the first component, which only downloads the actual harmful code. Users shouldn’t rely on the app stores for their protection, and implement additional security measures on their mobile device, just as they use similar solutions on their PCs.

Appendix 1 – list of malicious apps found on Google Play

Package name App name Date Min Max
free.oosapp.infofifamobile Guide or FIFA Mobile 21.2.17 50000 100000
info.artapp.guidelegonexoknights Guide for LEGO Nexo Knights 15.2.17 10000 50000
free.oosapp.inforollingsky Guide for Rolling sky 20.2.17 5000 10000
info.artapp.guidelegocitymycity Guide for LEGO City My City 14.2.17 10000 50000
free.oosapp.infoterraria Guide for Terraria 20.2.17 10000 50000
free.oosapp.infoworldoftanksblitz Справочник для World of Tanks 20.2.17
info.artapp.guidezombietsunami Руководство для Zombie Tsunami 15.2.17
info.artapp.guidedriftzone Руководство для Drift Zone 2 22.2.17 1 5
info.artapp.guidemobilelegendsbangbang Руководство для Mobile Legends 22.2.17 1 5
info.artapp.guideinjusticegodsamongus Руководство для Injustice Gods 22.2.17 1 5
info.artapp.guideninjagoshadowofronin Руководство для Injustice Gods 22.2.17 1 5
info.artapp.guideasphaltairborne Руководство для Asphalt 8 22.2.17 1 5
free.oosapp.infocriminalcase Справочник для Criminal Case 21.2.17 1 5
free.oosapp.infonbalivemobile Справочник для NBA LIVE Mobile 21.2.17 1 5
free.oosapp.infohayday Справочник для NBA LIVE Mobile 21.2.17 1 5
free.oosapp.infosubwaysurfers Справочник для Subway Surfers 21.2.17 1 5
free.oosapp.infozombietsunami Справочник для Zombie Tsunami 21.2.17 1 5
free.oosapp.infogtasanandreas Справочник для Zombie Tsunami 20.2.17 1 5
info.artapp.guideterraria Руководство для Terraria 18.2.17 1 5
info.artapp.guidehayday Руководство для Hay Day 18.2.17 5 10
info.artapp.guideworldoftanksblitz Руководство для World of Tanks 18.2.17 1 5
mobi.guide.pokemon.go.pro Guide for Pokemon GO 1.3.17 50000 100000
guide.tipsamazingspiderman.infopro Guide Amazing Spider-Man 2 2.3.17 1000 5000
mobi.proguide.lego.marvel.superhero ProGuide LEGO Marvel Superhero 1.3.17 1000 5000
guide.tipsdreamleaguesoccer.infopro Guide Dream League Soccer 2.3.17 10000 50000
mobi.leguide.lego.city.under.cover.pro LEGUIDE LEGO City Undercover 27.2.17 10000 50000
mobi.guide.fnaf2.pro Руководство для FNAF 2 1.3.17 1 5
mobi.guide.roblox.pro Руководство для Roblox 1.3.17 1 5
guide.tipsfnaftwo.infopro Guide For FNAF 2 8.3.17 1000 5000
guide.tipsgreattheautovipcity.infopro Инструцкция The Auto Vip City 3.3.17 1 5
mobi.tips.superr.mario.pro Руководство для Super Mario 28.2.17
mobi.great.the.auto4.pro Руководство Great The Auto 4 28.2.17
mobi.guide.cadillacs.pro Руководство для Cadillacs 1.3.17
mobi.guide.amazing.spider.man2.pro Руководство для Spider-Man 2 28.2.17
guide.tipssupermario.infopro Инструкция к Super Mario 2.3.17
guide.tipslegofriends.infopro Интсрукция к LEGO Friends 3.3.17 1 5
guide.tipsgreattheautofive.infopro Инструкция к Great The Auto 5 2.3.17 1 5
guide.tipsgreattheautofour.infopro Инструкция к Great The Auto 4 8.3.17 1 5
guide.tipscadillacs.infopro Guide for Cadillacs 3.3.17 5000 10000
guide.tipsroblox.infopro Guide for Roblox 3.3.17 10 50
mobi.guide.dream.league.soccer.pro Руководство для League Soccer 28.2.17 1 5
mobi.leguide.lego.city.mycity.pro LEGUIDE LEGO City My City 27.2.17 5000 10000
com.megaguide.rollingsky.tricks Guide for Rolling Sky 11.4.17 500 1000
com.megaguide.legoninjagotournament.tricks Guide for Ninjago Tournament 6.4.17 50000 100000
 Total   218535 596160

 

 

Appendix 2 – list of SHA256 hashes:

4b1d653c0330e16cae67fb95e070190e72a767740511913b19603be91f8f4f85

f151302d56d8bd0c7882d8931baaf60a5f460e83f927ffcda3001d9e65ab7f56

87a706e6304213002df99b186528fced7ec5e0d4dfa096195b3fa1dae01de9de

8aa0ae3f4ca5c54e4f284928e987522597ee26e2dc1bfed5ec84725b03970987

e3f0cad8b8c6f91f797e2e9b54d3acfb5cee520f7f3a04a6e3c9094e3147b10a

133b47b6677d6a692dd7105af89a9782bc75f5fe8d9889a7265ae887ac3d4d03

76e20d5965b76be1fa5bd76917beeef3f02e183fc0ae475108f7250699f6d59d

8a9133039c1826c78a0b87142e8daa391179424d42705fc55d23d4ccbc01c816

ca84e6c2d963261875633f9e8ede0c20e00750a6b2c8315c667e9a36077d36f7

2cbe420fd2ce4385335ba2d588b4ff1da7e978b96ab4c6c55b7ab0916e9d0a07

6ceed33069104c2d10aebcbf14efd6ef629fee5e2c760478aafa80fa5e61ed47

12c3ae90a8b319b486e595b5ee2f5169f3997ca7811454e6ed9dc044b4c27341

4e9b5e87c9c07791b87bad25748c36a760ecf9b3ea2bd95df3a786c0b16bea0e

8ea8a4ef5e8fed2243e3023cbd5cbf457b61a60cffcaf14ea7b99d4c417d62fd

0a83d9eeeb65c250b422b24ca34eb4738b76803445be480a4d6c9294a637b3be

e9f822bb49223b4d148bf6c1066b815b32143379582e00a8155635e94c569e66

5c02cf78b29de064fb53e80bd4b4fc90b7cbe50766e6b2b16cbbb7aa32969063

8129004c726241829affc579310e3e72076b8f04182ec3c8ac6724b341ad1eb3

2343c1997e321eb96ce8f8a813fccaeb4f6ccddb37b86a7142ba481a6780f6b7

a4c24527c3eb58246b44181e194a454379b15874ee2f0c5d25d279bb04eb0e33

6dad2db7a0efac5c93bd57a70cac4a2978728f9a59f3c225de832783f6aa6fe1

75b54cafdc51283c0674d0081f485ef206c8336f76f4fa9b822b06faeae4962d

039449bb66958b9559531f65ecd859b186950448a8a8cc7d283ba891a516d5dc

73d1bfc8221ee9a89f9a6c8ec0353458a4c034f090ddbf36144a1a117df6fdf3

e70b9d79975ab12aede41a58a251b645899a70800cfef7c89e87a1231760ec3e

be65b2513c03ee65c386e1a899eba77aa08f2c312de97f381a906bec2ea731ee

83834187b47a212ec42d7d93c9036d93ca223fc96d8ab8be5c98a5c2d372449f

93b367892d33d0757efedc1edac43b97a7bf453ec6e631ffe9229a70dacb469d

b6aca219f4903ef09f047968895898df8844276a6847b11d0f5b03f2ef94bbf8

dab6e89b5c75cf2e2ce4a6fc6c11024a669a2c0979970f7fa9e787858f6e1033

3cb3442bffd5704be5d5ff271d104cdb3936e5f1e54edaa840b7eae85d830934

8b528d10ab443f95636fe58fe3a5c2911b98d8286bf4578ebdcba0c339110f92

e7233b8cf97cdcfdbcd5c994fd4c4e2b80e7031858ba1b05ed41e55b1ada557c

5537106f6e5d76ba80d0e8793d99144dda4413c168e45c3bf1c5e3728865314f

984f34d1a7a61b78d2809ba6b2f391c26aab0fb5883a9ec3aa18ac7987196bb8

175e0c5f25a4c0bcba936348354addbcf4feab5c189665b7b332acadad274463

b9e167a93ef1506b0a341ae7940fd7a363a0b34847a1eb8b68955789a75b6a9c

8fbe503d44bb5a938b5b9b85b338b11139342fed5f4e35e45a2d895e10f9cb51

080f4e69d9e8da4b1a673fc30a32483643130d72f80473719984d9123df22fcb

226b2cbce72567ba0e2dcfbfab87f7d35a39950322dfc5a0037d897c06526782

db3e355392e06d1770402e1713f7e41f9642f5b03d11a0e11a39a3d9be5ccbf5

7d9c48d3961ba57a551e302cee4126ceebcd3319e50ebf2869a116831e803301

0948f2dac2bc616385ac7c15af0e6a3b777c424ef349c7a4f6685483eab4c0d0

4f8f4bfdf7716e5ee3566901d5b9456daacaa1e72e236e5927c20cc81da260f3

d41510fc320a1637846fca9d8ba28b2cd6a320e152a79f4f42a49da1b17f8e1b

2bb64a0c7b129f7ab41d9388d2de851fb966026163e66877b31eb9e6ca891243

a833115f0a3a06283055dd07e7a0cb0d6ca87984018d61f7717b09b6aa4009a1

f71f2f561d28d9c90a33e022b6816c647982f6e2f15cd1cf3df7fd92605e7afc

40c4e832440bc978088b197ce886c21778e5cc2bd502ffc8c1cf6832d4906f76

72e49f1401ea5f57cc355a47d6bc5985f31595b1a7864aa3f20ed9638ab154e6

46bef91b6a312e932481da20ba0d8261fc1cff3588a98efb95ffd05ad274e673

4c86dddd2cbdd948e204a4bead9cde309e60ce253b92f905c10a3c592a033a10

0aa28c3a8d5a46d273c8f02ab67bc29a3792e4cced366767ff576067b1d06d0c

47d5d9ceedc848c7a62281ceea5f04177d0bfbc1bf9a0a22167e0b92cc32b711

6fe4f5d59c431211b9feb7986deabd926ae447382a3983139d0db98b2c289104

7fc6379f6dbf9386038b8f4f8881884a1f2071316123870310bf6132ccb9b53c

68aa3991e6a46cc106dacf2a6d41ac7ef3ee72e9ae181cfb4ed67121b1c702a7

22bc82838dc8d868c21689a3668df643f5a5f3e68005007de359354f4c1cda58

a28f4416e143ea15af8d142c89e93649cec5d4ef64ec2fca4e6507f1d432401a

e60b4d46baa95a4841926263b47d0b3042763285656dc0d90e362b54d724c70f

16d9a771f814a83132125462b9d1d2c7f913641d1f9a7bd23a6a40bbb83f8ef2

be316ee4a682ca1f284a03e1545617c83638b0d8da999f3046cb256e55e7705d

36d9eecba9968487d5bcb858848db2ba80f47fd46262570f48de39bf777cdd2d

24c56e9423208cf43fb3185973e184b5922768a7ed42b0355b744591b66cb748

07dcb523c3b0778e44b5c6ddaa8393cb2dbeed9492365b5a39422ccc811989c7

d8294d92e89a74e19b9fc2ce4f8afee7b62df189f0ac03e3fb8f175b073a2961

aad7caf701a2f73430a30f73f5d85950ab2162b618f7435d2c45fca5f068348d

c9d1631cffe08ae9f12ca47b038d6ba72ca40d44c8854736f304f992d317b7af

90ae699af2b913ec147b38d73a9da053385c80bedecf77ffe337aea66b7a4cea

95a7b5db9d9e59dbb5ea8912e506949a9d42bc3f6e687d1317dd3ef85e573bf3

3193a4ad4e13633cb488432c403f1ceb46a6b6a8b94642f8815ea9f94d2ec6eb

7afd6ab6a9cb6166bdae0944ed7ba0042a1dd77aa1ab20234601c50e9d27411f

 

The post FalseGuide misleads users on GooglePlay appeared first on Check Point Blog.

from Check Point Blog http://ift.tt/2pZocYy

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s