Mobile Security Blog | Pradeo

Impostor Apps Put Android Users At Risk

Written by Roxane Suau | August 07, 2017

In an article published in March, we were informing you about the risks behind malicious clones of popular applications. Five months later, impostor apps are still trying to access our data and to target more users.

When a game like GTA San Andreas charms millions of players, it also catches the attention of many malware creators, who see an opportunity to create clones that imitate the app’s appearance but house one or several malwares.

Applications malicious clones, ranging from stylistically similar to perfect copies, ask for more permissions than the original apps to perform their malicious activities. Knowing that on almost every Android versions, permissions are automatically approved when installing an application and that users pay little attention to them, it is quite easy for bad intentioned people to access users’ data.

Hidden under familiar and trusted names such as “Word” or “Virus killer”, here are a few examples of impostor apps and their true nature:

App name: Word

Malware type: Banking malware, collects user’s bank info and send it to a remote entity.

Sha1: d5d3f17377651f281f03d02228698dade7f55863

version: 1.0

Package name: com.uzuwjapc.wynav 

App name: Easy Button

Malware typeData sending Trojan, sends user's phone number, account information (name of an account -e.g. gmail, login, password…), device identifier and phone network information to a remote entity.

Sha1: df09d9181f2953ef1d85ada2176852a8af57c0c0

Version: 1.3

Package name: com.typ3studios.easybutton

App nameVirus Killer

Malware typeTrojan, steals device information (IMEI, OS type, network operator) and users’ data (on the device and SD card memory) and sends them to a specific server.

Sha1: 25dee640f87db159e97210e53d9631040a35f03a

Version: 2.2.2

Package name:  com.safesys.viruskiller 

App name: Boost & Clean Pro

Malware typeRansomware

Sha1: afe2d4ec4ae8250f8d3131338b6158e9a3c6f3a2

Version: 0.5

Package name: com.robocleansoft.boostvscleanapp 

App name: Flash Player

Malware type: Banking malware, collects user’s bank info, intercepts OTP.

Sha1: 48e6fd9cd4b65e8f1b84c8a00401340520c63464

Version: 2.0

Package name: com.go.sfad.cas 

App name: Grand Theft Auto: San Andreas

Malware typeData sending Trojan, sends location, information about installed apps, device identifier, network  / device / hardware information to a remote entity.

Sha1: 6473b9109de1da42f6451525aff57c878c309e10

Version: 1.4

Package name: com.gta.sanandreas 

App name: Lara Croft GO

Malware typeSMS trojan, sends SMS messages to premium rate phone numbers.

Sha1: d5846a0d971a5db244f543a25a80520ebe101e57

Version: 2.0.53878

Package name:  com.squareenixmontreal.lcgo 

App name: Kingdom Rush Origins

Malware typeAdware, displays malicious ads, pop-ups and redirections. It also uses the well-known kind of malware version Android/Fobus to steal data.

Sha1: d90dc80bfdeb33efab6bb4e255d8b1a6ecc22c5f

Version: Unknown

Package name: app.net_android_system_file_download_210110217

 

The variety and amount of impostor apps show how much potential there is for hackers to use apps to steal sensitive data and that users are not rigorous enough regarding apps security. The first step to stay away from malicious clones is to never download applications from unofficial app stores. Even though the Play store sometimes lets vulnerable or corrupt applications through its gate, it still performs a first level scan of the applications it hosts, which is not the case of third-party app stores.

For companies, it’s advised to use a Mobile Threat Defense solution that will automatically test any apps installed on employees’ devices and block them if they feature a malicious behavior.

 

Discover Pradeo's Mobile Threat Protection solution.

Integrate PRADEO SECURITY to your EMM/MDM: AirWatch, MobileIron, IBM MaaS360, SOTI