Phoney Android security apps in Google Play Store found distributing malware, tracking users

36 apps that posed as tools to keep users safe from attacks were actually installing malware on their devices.
Written by Danny Palmer, Senior Writer

Video: In battle against malware, Google adds Play Protect logo to certified Android devices

Smartphone users often download security applications to help protect their device and data from cyberattacks and hackers. But criminals can also exploit this trend for their own ends, as demonstrated by a total of 36 phoney security tools discovered in the Google Play store which, instead of protecting the user, served up malware, adware, and even tracked the location of the device.

Uncovered by researchers at Trend Micro, various apps advertised themselves as providing security and other useful capabilities including cleaning up junk files, saving battery capacity, and more.

See: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

However, in addition, the malicious apps also sneakily harvested user data, tracked devices' location, and repeatedly and aggressively pushed advertising onto the screen.

Malicious apps posing under names including Security Defender, Security Keeper, Smart Security, and Advanced Boost managed to slip past Play Store defences and onto the devices of Android users. It's likely that by offering a handful of useful services to users and obfuscating their malicious activities, the apps were able to pass the verification process by appearing to be legitimate tools.

After installation, the malicious apps are designed to operate via push alerts which display alarmist warnings on intrusive pop-up windows. Once the app is running, the malware repeatedly bombards the user with fake security warnings.


Users were being infected by apps they believed to be protecting them from attacks.

Image: iStock

While these look as if they could be legitimate notifications from a mobile device, the warnings are entirely fake, added by the attackers in order to make the app look as if it is operating as advertised. Those behind the malware even add an extra layer of believability to the notifications by displaying animations which claim problems have been 'resolved' after the user clicks on an alert.

However, nothing has actually been improved, but rather interacting with these notifications leads to aggressive adverts appearing on the device: almost every action on a phone infected by this malware leads to a pop-up for the purposes of providing revenue from ad display and click fraud to the attackers.

In addition to collecting ad revenue, researchers note that the malicious apps are also capable of collecting vast swathes of data about the device, including its Android ID, the network operator, the brand and model of the device, and even its location.

While it's unknown why the attackers are collecting this information, it remains a huge breach of user privacy -- especially given the victim has downloaded the app in order to protect themselves from attackers, not play into their hands.

Google has been notified of the 36 malicious apps and they've since been removed from the Play Store. It's not clear how often the apps were downloaded by users: ZDNet has approached Google for comment, but at the time of publication hadn't received a reply.

In order to avoid falling victim to intrusive malware, Trend Micro recommends users carefully examine app permissions -- because an app which demands extensive permissions in order to perform basic tasks might be something sinister.

"Be aware of the scope of app permissions. Apps sometimes require more than the basic default permissions. Make sure the installed apps only have access to features they need," the researchers said.

Related coverage

Android security triple-whammy: New attack combines phishing, malware, and data theft

Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers.

Android security alert: Google's latest bulletin warns of 47 bugs, 10 critical

Google's Android security bulletin for December includes a number of flaws that vendors will need to patch.


Editorial standards