As many as fifteen ‘adware apps’ that masqueraded as GPS navigation apps were downloaded as many as 50 million times by Android users from the Google Play Store, ESET security researcher Lukas Stefanko has revealed.
The said navigation apps, which have now been removed from the Google Play Store, used images stolen from genuine apps to appear legitimate, did not offer any real value to users aside from opening Google Maps or using the Google Maps API, and only displayed advertisements to those who downloaded them.
Fake navigation apps offered no real functionality
Despite the lack of functionality, these fifteen fake adware apps enjoyed up to 50 million downloads from the Google Play Store, with one of them, called “Maps & GPS Navigation: Find your route easily!” enjoying in excess of ten million downloads. This app even asked Android users to pay a certain amount to enjoy an ad-free experience.
“I tested over 15 fake GPS Navigation apps with over 50,000,000 installs from #GooglePlay that violate Google rules. These apps just open Google Maps or use their API without any additional value for user, except for displaying ads. Some of them don’t even have proper app icon,” Stefanko tweeted last week.
“These apps pretend to be full featured navigation apps, but all they can do is to create useless layer between User and Google Maps app. They attract potential users with fake screenshots stolen from legitimate Navigation apps. Purpose of these apps is ad revenue (easy money). They don’t have any Navigation technology or know-how, they only misuse Google Maps.
“Once user clicks on Drive, Navigate, Route, My Location or other option, Google Maps app is opened. I reported it month ago. One of them even requests payment to remove ads. So, user would pay for something that he has already pre-installed on device – Google Maps.
“If I searched via Maps & Navigation category (consider “Recommended for you” algorithm) I got useless apps as top search result. In top search there is no legitimate GPS Navigation such as Sygic, TomTom or Waze.
“BTW in this thread I only mentioned apps that reached over 1,000,000 installs on #GoogelPlay. Unfortunately, these apps make bad name for Android ecosystem & hard working app developers. It is sad, that because apps like that people prefer #iPhones instead of trying #Android,” he added.
Google Play Store a hub of fake apps masquerading as real ones
The use of fake apps masquerading as genuine apps offering real value but only displaying advertisements, harvesting user data and earning money for their creators isn’t a novel concept but one that has been used extensively in the past by fraudsters.
In November last year, Stefanko discovered as many as thirteen fake driving-simulation apps on the Google Play Store that had zero functionality, yet enjoyed over 560,000 downloads in total and two of them, in fact, featured in the Trending section on the Play Store.
Once downloaded and launched, the apps prompted users to install an additional .APK file dubbed Game Center, following which the apps hid themselves and displayed advertisements whenever the devices were unlocked. At the time of installation, the apps also requested certain privileges such as full network access, access to network connections and access to Wi-Fi connections.
In January last year, security researchers at Trend Micro also unearthed thirty-six “mobile security apps” on the Google Play Store that were secretly harvesting user data, sending them to remote servers and aggressively pushing advertisements to user devices as part of a click fraud campaign, while performing the usual functions expected from mobile security apps.
User data harvested by these apps included private data like Android ID, Mac address, details of network provider, information about the OS, the brand and model of the device, device specifications, language, location information, permissions granted to installed apps, usage stats and notifications.