Unwanted Apps in Google Play Pose as Fake AV

In recent years one of the most prevalent malware threats for PCs (and lately Mac users) is fake-antivirus software, which pretends to be a legitimate security program. Its real purpose is to charge victims a fee to remove a nonexistent threat. The same threat has now been ported to mobile devices. In some cases we see the same or similar behavior: getting revenue from users via SMS messages to a premium-rate number or malware that poses as security software to encourage users to install a malicious app (such as Android/Zitmo.F).

Recently 17 suspicious applications, uploaded by the developer thasnimola, were found in the official Google Play market:

Most of them use a shield as an icon to show that they could be related to “protection” software but some of them also use non-AV names and descriptions with popular keywords like “free,” “Video Downloader,” “Call recorder,” and “sms” to attract users’ attention and encourage the installation of the app. One interesting app is Top Free, which claims “Fast and lightweight malicious app protection for your phone.” Looking at this one further, it is clear that Top Free pretends to be AV software because it uses the screenshots of legitimate AV software as its own:

Some of them also use an “Antivirus FREE” banner on the app’s web page:

However, unlike fake-antivirus software threats for PCs and Macs, these applications do not gain revenue from users by detecting nonexistent Android malware. Instead, these apps make money using a more legitimate method: advertisements. All the suspicious apps were created using the same free online service used to create the Android/DIYDoS hack tool. For this reason the behavior is nearly same: When the application is executed, a WebView component shows the contents of a URL that is stored in an XML file inside the res/raw folder:

One difference between these apps and Android/DIYDoS is that these include an advertisement module–provided by the online service–that creates the applications which send sensitive device information (IMEI, GPS coordinates) to a remote server:

Here is the complete list of the unwanted applications that we reported to Google:

App Name Package Installs (Google Play)
love sms com.wDictionarye 100-500
jokes com.wcopywap2 100-500
video convertor com.whackmanmobisms 100-500
send free sms com.wPhotoscapeyy 100-500
sms sender com.wcopywap6 100-500
top free com.wcopywap4 100-500
friendship sms com.wvideodown2 100-500
hissam sms collections com.wcall 100-500
top free sms com.wcopywap5 10-50
sms free com.wSpokenEnglisheee 10-50
free message sender com.wcopywapphoto 10-50
shayaries com.wTabla 1-5
sms com.whissamsmscollections 1-5
sms collections com.wChromea 1-5
free call recorder com.wfreecallrecorder N/A
youtube video downloader com.wvideo9 N/A
free sms com.whissamsmscollections2 N/A

 

All of these have already been removed from Google Play. If you have enabled  detection for potentially unwanted programs (PUPs, our default setting), then McAfee Mobile Security for Android will detect these apps as Android/DIYAds.