Dubbed FalseGuide by the cybersecurity researchers at Check Point who discovered it, the malware was hidden in more than 40 fake companion guide applications for popular games including Pokémon GO and FIFA Mobile. The oldest of these fake guides was uploaded to Google Play on February 14 this year.
Several of the apps have been downloaded more than 50,000 times and it's thought that around 600,000 Android users have mistakenly downloaded the malware when seeking guides for games.
This is far from the first instance of malware on the Google Play store, and it's the latest mobile malware to be discovered attempting to create Android botnets, as the likes of Viking Horde and DressCode did before it.
The FalseGuide botnet is built to deliver fraudulent mobile adware. It downloads and displays illegitimate pop-up adverts with the aim of driving revenue to the malicious authors via ad displays and clicks.
Once downloaded onto a device, FalseGuide requests device admin permission, which the malware uses to ensure the app can't be deleted by the user -- an activity that in itself suggests the app is likely to be malicious.
Hidden malicious nature
Ultimately, this type of malware is able to infiltrate Google Play because the app's malicious nature is hidden, only coming to life once the app has been downloaded and the user has enabled the permissions required for the app to request malicious instructions.
Following installation, the malware registers itself to Firebase Cloud Messaging -- a cross-platform service that allows developers to send notifications and messages -- with a topic bearing the same name as the app, such as 'Guide for Pokemon Go'.
It's by using Firebase that FalseGuide is able to receive additional modules and download them to the infected device. FalseGuide displays pop-up ads out of context by using a background service which begins running when the device boots up.
While those behind FalseGuide are attempting to use it for ad fraud, it can also receive other instruction modules from the command-and-control server, which could instruct the botnet to root device, conduct a DDoS attack, or even infiltrate private networks.
It's thought the malicious apps are of Russian origin as they were submitted under the Russian names of two fake developers -- Sergei Vernik and Nikolai Zalupkin -- with Russian-speaking researchers noting that the latter is clearly a fake name.
Malware developers have chosen to exploit game guides for a simple reason: they're popular. Also, the apps themselves don't require much in terms of features or development. Both factors allow bad actors such as those behind FalseGuide to reach a wide audience with minimal effort.
Check Point initially notified Google about the malware in February, after which it was swiftly removed from the Play Store. However, those behind it have proven persistent, uploading more apps at the beginning of April, which were once again removed after Check Point notified Google.
A Google spokesperson told ZDNet that "we're still making improvements to our system" and said the company "tries to take immediate action whenever whenever a questionable app is brought to our attention".