Over ten million users have been duped in installing a fake Samsung app named "Updates for Samsung" that promises firmware updates, but, in reality, redirects users to an ad-filled website and charges for firmware downloads.
The app takes advantage of the difficulty in getting firmware and operating system updates for Samsung phones, hence the high number of users who have installed it.
"It would be wrong to judge people for mistakenly going to the official application store for the firmware updates after buying a new Android device," the security researcher said. "Vendors frequently bundle their Android OS builds with an intimidating number of software, and it can easily get confusing."
"A user can feel a bit lost about the [system] update procedure. Hence can make a mistake of going to the official application store to look for system update."
Throttles download speed for "free downloads"
The "Updates for Samsung" app promises to solve this problem for non-technical users by providing a centralized location where Samsung phone owners can get their firmware and OS updates.
But according to Kuprins, this is a ruse. The app, which has no affiliation to Samsung, only loads the updato[.]com domain in a WebView (Android browser) component.
Rummaging through the app's reviews, one can see hundreds of users complaining that the site is an ad-infested hellhole where most of them can't find what they're looking -- and that's only when the app works and doesn't crash.
The site does offer both free and paid (legitimate) Samsung firmware updates, but after digging through the app's source code, Kuprins said the website limits the speed of free downloads to 56 KBps, and some free firmware downloads eventually end up timing out.
"During our tests, we too have observed that the downloads don't finish, even when using a reliable network," Kuprins said.
But by crashing all free downloads, the app pushes users to purchase a $34.99 premium package to be able to download any files.
The problem here is that the app breaks Play Store rules and uses its own payment system, rather than using the one provided by the official store, opening users to having their payment data intercepted or logged by a third-party, rather than being handled by Google's secure and better-protected payment channel.
Similarly, the app also offers a $19.99 SIM card unlocking service; yet, it is unclear if this functions as intended, or is just another money-grab.
Not malware, but fraudulent and a scam
All in all, the app is not malware in the traditional meaning of the word, as it does not perform any malicious actions on the user's behalf, or without his consent. The better words for its mode of operation are "scam," "fraudulent," or "adware."
"I haven't found the app to perform anything malicious on the device," Kuprins confirmed to ZDNet when we asked about additional shady behavior. "However, when the app is open - it does display a lot of full-screen advertisements, almost after every other tap on the screen."
Kuprins told us he found the app when he searched the Google Play Store for the word "update," believing the search will most likely surface some bad apps.
"The 'Updates for Samsung' app stood out because of the amount of installs that it had," he told us.
And with 10,000,000 installs, this is the perfect app where Google needs to flex its muscles (the Play Protect service) and have the app disabled on users' phones.