A team of security researchers uncovered 36 ‘mobile security apps’ on the Google Play Store that were secretly harvesting user data and aggressively pushing advertisements.
The data harvesting mobile security apps on the Play Store were performing the usual security tasks, thereby making users believe that they were genuine apps with no ulterior motives.
In what could be among the most intelligently-designed malicious apps, as many as 36 such apps on the Google Play Store were found harvesting sensitive user data, sending them to remote servers and aggressively pushing advertisements to user devices as part of a click fraud campaign, while performing the usual functions expected from mobile security apps.
Thanks to security researchers at Trend Micro who reported the set of malicious apps to Google, all these apps no longer exist on the Play Store but it is possible that there could be similar apps lurking around on official app stores because of the way their creators are masking their activities.
All 36 apps were found offering the usual mobile security tools and were named Security Defender, Security Keeper, Smart Security and Advanced Boost by their creators. On the Play Store, their descriptions mentioned capabilities like scanning, cleaning junk, saving battery, cooling the CPU, locking apps, message security and WiFi security, thereby convincing mobile users that they were genuine security apps with the ability to protect their devices from external threats.
However, security researchers at Trend Micro saw through the entire operation being run by the developers behind such apps. They found that not only were these apps secretly harvesting user data and pushing advertisements, the services they were offering were also fake and designed to convince users that their security tools were genuine.
‘Once the app is running, the user will be bombarded with “security” notifications and other messages from the malware. After checking the original code, we found that most detection results from the notifications are false. For example, if the user installs another app, then it will immediately be reported as suspicious.
‘The developers of these apps go far to make their notifications believable. If the user clicks the button to resolve the detected “Fraud SMS Broadcast Vulnerability,” then the app will just show a simple animation illustrating that the problem has been ‘resolved.’ This way, the user will think the app is working and will not be suspicious of it,’ they noted.
User data harvested by these apps included private data like Android ID, Mac address, details of network provider, information about the OS, brand and model of the device, device specifications, language, location information, permissions granted to installed apps, usage stats and notifications. Once such data were harvested, they were passed on to remote servers by these apps.
While Google has kicked out these apps from the Play Store after being notified about their behaviour, it is possible that many more such apps could infiltrate the Play Store in the coming days. As such, to protect their devices from such apps, users should download apps from trusted sources and after reading their reviews, use privacy settings on their apps and sites, and check permissions granted to installed apps.