A five-star review and the ads go away: How trojan Android apps are tricking users into giving good ratings

Social engineering tricks victims into giving trojan apps a five-star rating on Google's official App Store.
Written by Danny Palmer, Senior Writer

Malicious Android apps are tricking users into giving them high ratings.

Image: iStock

Malicious apps found on the official Google Play store are forcing users to award them five-star reviews, in order to make the apps look legitimate and thus boosting downloads.

These apps are mimicking a technique used by an increasing number of legitimate games and apps available from Google Play, which repeatedly ask the user to give them five stars.

However, one trojan app is going further, asking for high ratings in exchange for a false promise to stop a cascade of ads.

By forcing users to leave high ratings, the app ensures that more users are more likely to download it in future. However, these apps turn out to be worthless to the victim, functioning only to repeatedly serve ads.

Seven versions of Android/Hiddad.BZ were found on Google Play and were downloaded by users at least 5,000 times in total, according to security firm ESET, which described it as "an aggressive ad-displaying trojan."

Posing as an app using variations of 'Tube.Mate' and 'Snaptube' -- potentially to take advantage of people searching for the likes of YouTube and Snapchat -- these apps are advertised as a 'good app with your friends'.

While the use of poor sentence structure might put off some potential users, many go ahead and download it, thanks to a high rating in the Google Play store.


The malicious apps carry high ratings.

Image: ESET

Once downloaded, Hiddad.BZ is launched as 'Music Mania' and produces a fake system screen which requires the installation of a 'plugin android' and overlays the screen of the Android device until it is enabled.

By agreeing to this, the ad-displaying payload is installed onto the device and demands the user allows administrator rights via the use of another irremovable screen which doesn't close until they agree to let the app control how and when the screen locks.

The trojan immediately takes advantage of this new permission, presenting the user with a screen full of ads and asking them to rate the app with five stars in order to "remove all ads". Cancelling this message results in even more ads and requests for installations popping up on the device, with the aim of forcing the user into agreeing to the five-star rating.

It's worth noting how apps that promise users anything in exchange for high ratings are against the Google Play Developer Policy, yet they still made it into the store.


The app repeatedly demands a five-star rating.

Image: ESET

It's possible for users to remove this Trojan from their device, but uninstalling the Music Mania app isn't enough to remove the malicious payload. In order to fully clean an infected device of Hiddad.BZ, ESET researchers recommended disabling its device administrator rights (found under Settings/Security/Device administrators/Permissions Required) then directly uninstalling the 'plugin Android' payload within the Application Manager

ESET reported Music Mania to Google and apps supplying it have consequently been pulled from the store. However, after apps are removed from download from Google Play, they can still live on to torment the users who previously installed them.

ZDNet contacted Google for comment, but hadn't received a reply at the time of publication.

Read more on mobile malware

Editorial standards