Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans

[upnorth]

Content source

https://blog.trendmicro.com/trendlabs-security-intelligence/malicious-apps-on-google-play-communicate-with-trojans-install-malware-perform-mobile-ad-fraud/

We recently discovered several malicious optimizer, booster, and utility apps (detected by Trend Micro as AndroidOS_BadBooster.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices. These malicious apps, which are supposed to increase device performance by cleaning, organizing, and deleting files, have been collectively downloaded over 470,000 times. Our telemetry shows that this campaign has been active since 2017. As of writing time, Google Play has already removed the malicious apps from the Play Store.

Spoiler

Fraudsters attempt to deceive users by making malicious apps look genuine, so users should do their due diligence before downloading any mobile app.

Verifying an app’s legitimacy is typically done by checking user-created reviews on the Play Store. However, in this particular case, the malicious app is capable of downloading payloads that can post fake reviews unbeknownst to the user. Despite the slew of positive reviews, it does leave some red flags — even though different users left positive reviews, the comments they leave contain the same, exact text: “Great, works fast and good.” They also gave the app the same four-star rating.