FalseGuide Botnet Malware Hits 2 Million Android Devices

Security researchers have discovered and revealed details about ‘FalseGuide’, a new strain of malware that resides among applications on Google’s official app store, Google Play.

Researchers at Check Point have discovered at least 45 Google Play store apps, typically those that provide guides and walkthroughs for mobile games, to contain the malware. Cumulatively, these apps have been downloaded onto nearly 2 million Android phones and tablets over the past year.

While initial investigations pointed to 600,000 infected devices with the oldest compromised app uploaded to Google Play in February this year, subsequent research revealed that the apps have been around since late 2016. Updated estimates confirmed nearly 2 million infected users.

FalseGuide seeks a ‘device admin permission’ upon installation, entirely unusual for a game guide application. Armed with admin privileges, the malware avoids deletion by the user. From here on in, the malware proceeds to hijack the device before adding it to a botnet of similarly infected devices. The bots can be used for a number of purposes including anything from displaying pop-up ads that contain malicious code to sweeping DDoS attacks on targets.

The researchers wrote:

Depending on the attackers’ objectives, these modules can contain highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks.

FalseGuide, as the name suggests, masquerades as a guiding app due to the popularity. They are easy to develop and they’re known to capitalize on the success of gaming apps.

The malicious apps were submitted to the Google Play store under the fake names of two developers – Sergie Vernik and Nikolai Zalupkin, the latter who is a Russian speaker. The names also suggest a Russian connection to the malware.

While Google has removed the malware from the store after being notified by the researchers, multiple new malicious applications have since been uploaded to Google Play containing the same malware. Check Point researchers have notified Google of the malware-laden apps again.

Image credit: Pexels.