While there has been some effort invested by Android smartphone manufacturers to deliver Google's monthly security updates to at least some of their devices, the situation is far from being completely rectified. With Google recently admitting that half of active Android devices had not received a security update in 2016, it paints a worrying picture, particularly after major security vulnerabilities such as Stagefright being discovered in the OS.
However, malicious apps present an alternative vector for compromising Android devices with over 2.1 million devices having downloaded malware from the Google Play Store in 2015. Now, it appears that more apps available via Google's official app store have been found to contain a new malware variant named 'FalseGuide'. In its announcement, Check Point disclosed that:
"FalseGuide creates a silent botnet out of the infected devices for adware purposes. A botnet is a group of devices controlled by hackers without the knowledge of their owners. The bots are used for various reasons based on the distributed computing capabilities of all the devices."
The issue seems to have originated as a result of the trojan apps requesting device administrator permission upon installation which is then leveraged against users by preventing the malware from being uninstalled. The otherwise benign software would then retrieve payloads, some of which were observed to deliver "illegitimate pop-up ads out of context" but could have also be used to initiate DDoS attacks or infiltrate intranets.
Despite the initial discovery a couple of days ago which found more than 40 game guide apps containing FalseGuide, a further five malicious apps attributed to Анатолий Хмеленко (Anatoly Khmelenko) have since been detected. Alarmingly, this second tranche of malicious apps was uploaded as early as November 2016. In total, it is estimated that anywhere between 500,000 to 1.8 million users have been potentially impacted. However, out of the 49 infected apps, 28 had less than ten downloads each with seven of those seemingly unpopular with zero recorded downloads.
While it still goes to show that an official app store cannot completely protect Android users from downloading malicious apps to their devices, it does highlight that users should keep their wits about them.