Video: In battle against malware, Google adds Play Protect logo to certified Android devices
Smartphone users often download security applications to help protect their device and data from cyberattacks and hackers. But criminals can also exploit this trend for their own ends, as demonstrated by a total of 36 phoney security tools discovered in the Google Play store which, instead of protecting the user, served up malware, adware, and even tracked the location of the device.
Uncovered by researchers at Trend Micro, various apps advertised themselves as providing security and other useful capabilities including cleaning up junk files, saving battery capacity, and more.
However, in addition, the malicious apps also sneakily harvested user data, tracked devices' location, and repeatedly and aggressively pushed advertising onto the screen.
Malicious apps posing under names including Security Defender, Security Keeper, Smart Security, and Advanced Boost managed to slip past Play Store defences and onto the devices of Android users. It's likely that by offering a handful of useful services to users and obfuscating their malicious activities, the apps were able to pass the verification process by appearing to be legitimate tools.
After installation, the malicious apps are designed to operate via push alerts which display alarmist warnings on intrusive pop-up windows. Once the app is running, the malware repeatedly bombards the user with fake security warnings.
While these look as if they could be legitimate notifications from a mobile device, the warnings are entirely fake, added by the attackers in order to make the app look as if it is operating as advertised. Those behind the malware even add an extra layer of believability to the notifications by displaying animations which claim problems have been 'resolved' after the user clicks on an alert.
However, nothing has actually been improved, but rather interacting with these notifications leads to aggressive adverts appearing on the device: almost every action on a phone infected by this malware leads to a pop-up for the purposes of providing revenue from ad display and click fraud to the attackers.
In addition to collecting ad revenue, researchers note that the malicious apps are also capable of collecting vast swathes of data about the device, including its Android ID, the network operator, the brand and model of the device, and even its location.
While it's unknown why the attackers are collecting this information, it remains a huge breach of user privacy -- especially given the victim has downloaded the app in order to protect themselves from attackers, not play into their hands.
Google has been notified of the 36 malicious apps and they've since been removed from the Play Store. It's not clear how often the apps were downloaded by users: ZDNet has approached Google for comment, but at the time of publication hadn't received a reply.
In order to avoid falling victim to intrusive malware, Trend Micro recommends users carefully examine app permissions -- because an app which demands extensive permissions in order to perform basic tasks might be something sinister.
"Be aware of the scope of app permissions. Apps sometimes require more than the basic default permissions. Make sure the installed apps only have access to features they need," the researchers said.