Android Apps Get Hit with the Evil Twin Routine Part 2: Play It Again Spam

If you have not heard of this term yet, I guarantee you will in the months to come. The term is market spam. This is not a new term or an issue that affects one or two app stores; this is a systemic problem that impacts app stores at large, where spammers focus on getting around rules and screening processes of the app stores with the goal of making a quick buck. The goal of most market spam is to get to a mass audience in the shortest time possible and to prolong its presence on a device. Regardless of how it is done, the long term effect is monetary gains for the rogue publisher at some cost to the end user.

To increase the revenue earning potential, the app developer has to maximize the length of time that they have access to a user device. There are several strategies to achieve this, which include:

  • Keep an app on a device for as long as possible.
  • Get several apps from the same developer to transit through a device as a result of suggestive download recommendations. Many apps (particularly free ones) often suggest further downloads of other apps from the same developer. Essentially this has the same effect as an extended stay from a single app.

Without strategies to extend the life of the app on the device, the window of opportunity for a market spammer to make serious money is short-lived.

To better understand the effects of these strategies, let’s look at an example of two incidents recently identified. The incidents involved two different apps using two different publisher IDs. Both were published around the same date on Google Play (June 23 or 24). The first app was a traditional smash-and-grab type malware—a Trojan that sends SMS messages to premium rate numbers. We detect it as Android.Dropdialer. The second was a pirated emulator and ROM combination file that was Trojanized using several advertising SDKs, as well as additional functionalities to carry out the strategies mentioned earlier. We detect this second Trojan as Android.Fakeapp.


Coincidentally, both apps use the same theme of a popular game as the bait to lure users into downloading the app. Before being revoked from the app store, both apps achieved substantial download counts— between 50,000 to 100,000. Looking at which app has the potential to earn the most revenue, Android.Dropdialer appears to be an obvious choice but, in this case, the obvious choice is an incorrect one.

This becomes apparent after delving deeper into Android.Fakeapp. After installation, Android.Fakeapp would display a notification to the user to download other apps from the same market spammer. This causes the number of apps on devices using the same underlying revenue generation functionality to grow.

A review of the past activities of the rogue market spammer behind Android.Fakeapp shows that since mid-May this is their fifth attempt to publish the same app using a new publisher ID each time. Despite the fact that the apps were immediately suspended on Google Play, our telemetry data has shown that the constant stream of new downloads resulting from users tapping on the download suggestions in the app, has resulted in a steadily growing user base.


The functionality of Android.Fakeapp is summarized as follows:

  • 70 percent of the app code is devoted to a combination of multiple advertising SDKs which remove or disregard any user consent requirements. There are also additional functionalities to display app suggestions for download and install.
  • 10 percent of the app code is devoted to a notification module.
  • 10 percent of the app code is devoted to a social spamming module.
  • 10 percent of the app code makes up the core (yep, that's all), which is what the user believes was installed.



Symantec has been tracking quite a few of these cases this year. The case involving Android.Fakeapp shows signs of incremental evolution in the attacks resulting from trial-and-error efforts by the publisher who has made attempts to test for weakness in app market screening processes. Apps able to pass app market screenings are released onto the unsuspecting public. The key success factor for market spammers is to translate best practices they have learned into a pseudo framework as quickly as possible.

It should come as no surprise that several high profile threat families discovered last year such as Android.Rootcager or Droid Dreams are text book examples of market spammers at work. Typical practices include not only using multiple apps, but also using multiple publisher IDs to spread the risk. Despite the fact that Android.Lightdd, the follow-up to Android.Rootcager, was also distributed by spammers on Google Play, it did not gain as much traction as its predecessor. In many ways this threat was ahead of its time as it embodies many of the techniques that are in fashion with market spammers, notably the decrease in the use of root exploits.

To be continued in Part 3.