Malicious apps found on the official Google Play store are forcing users to award them five-star reviews, in order to make the apps look legitimate and thus boosting downloads.
These apps are mimicking a technique used by an increasing number of legitimate games and apps available from Google Play, which repeatedly ask the user to give them five stars.
However, one trojan app is going further, asking for high ratings in exchange for a false promise to stop a cascade of ads.
By forcing users to leave high ratings, the app ensures that more users are more likely to download it in future. However, these apps turn out to be worthless to the victim, functioning only to repeatedly serve ads.
Seven versions of Android/Hiddad.BZ were found on Google Play and were downloaded by users at least 5,000 times in total, according to security firm ESET, which described it as "an aggressive ad-displaying trojan."
Posing as an app using variations of 'Tube.Mate' and 'Snaptube' -- potentially to take advantage of people searching for the likes of YouTube and Snapchat -- these apps are advertised as a 'good app with your friends'.
While the use of poor sentence structure might put off some potential users, many go ahead and download it, thanks to a high rating in the Google Play store.
Once downloaded, Hiddad.BZ is launched as 'Music Mania' and produces a fake system screen which requires the installation of a 'plugin android' and overlays the screen of the Android device until it is enabled.
By agreeing to this, the ad-displaying payload is installed onto the device and demands the user allows administrator rights via the use of another irremovable screen which doesn't close until they agree to let the app control how and when the screen locks.
The trojan immediately takes advantage of this new permission, presenting the user with a screen full of ads and asking them to rate the app with five stars in order to "remove all ads". Cancelling this message results in even more ads and requests for installations popping up on the device, with the aim of forcing the user into agreeing to the five-star rating.
It's worth noting how apps that promise users anything in exchange for high ratings are against the Google Play Developer Policy, yet they still made it into the store.
It's possible for users to remove this Trojan from their device, but uninstalling the Music Mania app isn't enough to remove the malicious payload. In order to fully clean an infected device of Hiddad.BZ, ESET researchers recommended disabling its device administrator rights (found under Settings/Security/Device administrators/Permissions Required) then directly uninstalling the 'plugin Android' payload within the Application Manager
ESET reported Music Mania to Google and apps supplying it have consequently been pulled from the store. However, after apps are removed from download from Google Play, they can still live on to torment the users who previously installed them.
ZDNet contacted Google for comment, but hadn't received a reply at the time of publication.
Read more on mobile malware
- Hackers are using this Android malware to spy on Israeli soldiers
- This Android Trojan pretends to be Flash security update but downloads additional malware
- Over 400 instances of Dresscode malware found on Google Play store, say researchers
- Data-stealing Android ransomware removed from Google Play store
- Android Security Bulletin February 2017: What you need to know [TechRepublic]