In an article published in March, we were informing you about the risks behind malicious clones of popular applications. Five months later, impostor apps are still trying to access our data and to target more users.
When a game like GTA San Andreas charms millions of players, it also catches the attention of many malware creators, who see an opportunity to create clones that imitate the app’s appearance but house one or several malwares.
Applications malicious clones, ranging from stylistically similar to perfect copies, ask for more permissions than the original apps to perform their malicious activities. Knowing that on almost every Android versions, permissions are automatically approved when installing an application and that users pay little attention to them, it is quite easy for bad intentioned people to access users’ data.
Hidden under familiar and trusted names such as “Word” or “Virus killer”, here are a few examples of impostor apps and their true nature:
App name: Word Malware type: Banking malware, collects user’s bank info and send it to a remote entity. Sha1: d5d3f17377651f281f03d02228698dade7f55863 version: 1.0 Package name: com.uzuwjapc.wynav |
|
App name: Easy Button Malware type: Data sending Trojan, sends user's phone number, account information (name of an account -e.g. gmail, login, password…), device identifier and phone network information to a remote entity. Sha1: df09d9181f2953ef1d85ada2176852a8af57c0c0 Version: 1.3 Package name: com.typ3studios.easybutton |
|
App name: Virus Killer Malware type: Trojan, steals device information (IMEI, OS type, network operator) and users’ data (on the device and SD card memory) and sends them to a specific server. Sha1: 25dee640f87db159e97210e53d9631040a35f03a Version: 2.2.2 Package name: com.safesys.viruskiller |
|
App name: Boost & Clean Pro Malware type: Ransomware Sha1: afe2d4ec4ae8250f8d3131338b6158e9a3c6f3a2 Version: 0.5 Package name: com.robocleansoft.boostvscleanapp |
|
App name: Flash Player Malware type: Banking malware, collects user’s bank info, intercepts OTP. Sha1: 48e6fd9cd4b65e8f1b84c8a00401340520c63464 Version: 2.0 Package name: com.go.sfad.cas |
|
App name: Grand Theft Auto: San Andreas Malware type: Data sending Trojan, sends location, information about installed apps, device identifier, network / device / hardware information to a remote entity. Sha1: 6473b9109de1da42f6451525aff57c878c309e10 Version: 1.4 Package name: com.gta.sanandreas |
|
App name: Lara Croft GO Malware type: SMS trojan, sends SMS messages to premium rate phone numbers. Sha1: d5846a0d971a5db244f543a25a80520ebe101e57 Version: 2.0.53878 Package name: com.squareenixmontreal.lcgo |
|
App name: Kingdom Rush Origins Malware type: Adware, displays malicious ads, pop-ups and redirections. It also uses the well-known kind of malware version Android/Fobus to steal data. Sha1: d90dc80bfdeb33efab6bb4e255d8b1a6ecc22c5f Version: Unknown Package name: app.net_android_system_file_download_210110217 |
The variety and amount of impostor apps show how much potential there is for hackers to use apps to steal sensitive data and that users are not rigorous enough regarding apps security. The first step to stay away from malicious clones is to never download applications from unofficial app stores. Even though the Play store sometimes lets vulnerable or corrupt applications through its gate, it still performs a first level scan of the applications it hosts, which is not the case of third-party app stores.
For companies, it’s advised to use a Mobile Threat Defense solution that will automatically test any apps installed on employees’ devices and block them if they feature a malicious behavior.
Discover Pradeo's Mobile Threat Protection solution.
Integrate PRADEO SECURITY to your EMM/MDM: AirWatch, MobileIron, IBM MaaS360, SOTI