In an article published in March, we were informing you about the risks behind malicious clones of popular applications. Five months later, impostor apps are still trying to access our data and to target more users.
When a game like GTA San Andreas charms millions of players, it also catches the attention of many malware creators, who see an opportunity to create clones that imitate the app’s appearance but house one or several malwares.
Applications malicious clones, ranging from stylistically similar to perfect copies, ask for more permissions than the original apps to perform their malicious activities. Knowing that on almost every Android versions, permissions are automatically approved when installing an application and that users pay little attention to them, it is quite easy for bad intentioned people to access users’ data.
Hidden under familiar and trusted names such as “Word” or “Virus killer”, here are a few examples of impostor apps and their true nature:
App name: Word
Malware type: Banking malware, collects user’s bank info and send it to a remote entity.
Package name: com.uzuwjapc.wynav
App name: Easy Button
Malware type: Data sending Trojan, sends user's phone number, account information (name of an account -e.g. gmail, login, password…), device identifier and phone network information to a remote entity.
Package name: com.typ3studios.easybutton
App name: Virus Killer
Malware type: Trojan, steals device information (IMEI, OS type, network operator) and users’ data (on the device and SD card memory) and sends them to a specific server.
Package name: com.safesys.viruskiller
App name: Boost & Clean Pro
Malware type: Ransomware
Package name: com.robocleansoft.boostvscleanapp
App name: Flash Player
Malware type: Banking malware, collects user’s bank info, intercepts OTP.
Package name: com.go.sfad.cas
App name: Grand Theft Auto: San Andreas
Malware type: Data sending Trojan, sends location, information about installed apps, device identifier, network / device / hardware information to a remote entity.
Package name: com.gta.sanandreas
App name: Lara Croft GO
Malware type: SMS trojan, sends SMS messages to premium rate phone numbers.
Package name: com.squareenixmontreal.lcgo
App name: Kingdom Rush Origins
Malware type: Adware, displays malicious ads, pop-ups and redirections. It also uses the well-known kind of malware version Android/Fobus to steal data.
Package name: app.net_android_system_file_download_210110217
The variety and amount of impostor apps show how much potential there is for hackers to use apps to steal sensitive data and that users are not rigorous enough regarding apps security. The first step to stay away from malicious clones is to never download applications from unofficial app stores. Even though the Play store sometimes lets vulnerable or corrupt applications through its gate, it still performs a first level scan of the applications it hosts, which is not the case of third-party app stores.
For companies, it’s advised to use a Mobile Threat Defense solution that will automatically test any apps installed on employees’ devices and block them if they feature a malicious behavior.