FalseGuide malware infects millions of Android users via Google Play

Malware is something of a recurring problem for Android users, and it seems as though Google is fighting a never-ending battle to keep the blight out of the Play Store. The latest large-scale batch to be discovered takes the form of adware known as FalseGuide.

As you may have guessed from the name -- and your own experience of Google Play -- this malware spreads by fooling people into installing apps purporting to be guides to popular games. The apps themselves are fairly innocuous -- and often are guides as they claim to be -- but they then download additional modules which can be used to bombard users with ads.

In many instances the "apps" (inverted commas used because the guides are little more than, as Bleeping Computer puts it, "an overhyped collection of images and text") rely on tricking users who install them into granting inflated permissions -- such as asking to be made Device Admin. Security researchers at Check Point say that despite their apparent simplicity, FalseGuide malware apps actually operate in quite a sophisticated way.

FalseGuide requests an unusual permission on installation -- device admin permission. The malware uses the admin permission to avoid being deleted by the user, an action which normally suggests a malicious intention. The malware then registers itself to a Firebase Cloud Messaging topic which has the same name as the app. Once subscribed to the topic, FalseGuide can receive messages containing links to additional modules and download them to the infected device. After a long wait, we were able to receive such a module and determine that the botnet is used to display illegitimate pop-up ads out of context, using a background service that starts running once the device is booted. Depending on the attackers’ objectives, these modules can contain highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks.

It is estimated that more than two million users may have been infected by FalseGuide, and while Google has removed reported apps from the Play Store, there are still plenty of smartphones and tablets with the malware installed.

Check Point advices exercising caution:

Mobile botnets are a growing trend since early last year, growing in both sophistication and reach. This type of malware manages to infiltrate Google Play due to the non-malicious nature of the first component, which only downloads the actual harmful code. Users shouldn’t rely on the app stores for their protection, and implement additional security measures on their mobile device, just as they use similar solutions on their PCs.

You'll find a full list of the apps that have been found to be infected with FalseGuide over on the Check Point blog.

Image credit: Morrowind / Shutterstock