No sooner did we report on Wednesday the presence of a new batch of scammy Android apps that had to be removed from the Google Play Store (but not before racking up some 382 million downloads), than yet another wave of such apps has emerged to be aware of. And to remove from your phone, if you have any of them.Two separate teams of researchers uncovered a pair of nasty apps and Android activity, some of which is among the worst we’ve seen. First, a new batch of nine apps (since removed from the Google Play Store after racking up about 470,000 downloads) comes via a report from Trend Micro that pinpoints a number of sinister purposes for this collection of apps that disguise themselves as seemingly anodyne utilities, with names like Rocket Cleaner and LinkWorldVPN. However, the Trend Micro researchers warn that the apps do everything from quietly connect to servers to download up to 3,000 pieces of malware — and that some can even log in to the unaware users’ Facebook and Google accounts for ad fraud purposes.
The apps in question include the following:
- Shoot Clean–Junk Cleaner, Phone Booster, CPU Cooler
- Super Clean Lite — Booster, Clean & CPU Cooler
- Super Clean — Phone Booster, Junk Cleaner & CPU Cooler
- Quick Games — H5 Game Center
- Rocket Cleaner
- Rocket Cleaner Lite
- Speed Clean — Phone Booster, Junk Cleaner & App Manager
- LinkWorldVPN
- H5 gamebox
The Trend Micro report suggests these apps originated from China, and that once a user installed them they connected to a server to do things like posting fake reviews and logging into the accounts we noted above. Additionally, they could get users to unwittingly disable the Play Protect Android malware scanner, among other nefarious acts.
The apps have been removed from the Google Play Store, but definitely make sure to delete any of these if you still have them on one of your devices.
Researchers from the Cofense Phishing Defense Center, meanwhile, have also uncovered a separate but even more sinister effort — a phishing campaign targeting Android devices with unsigned Android applications allowed on the device. According to a new report from the center, this is an effort to infect devices with Anubis, “a particularly nasty piece of malware that was originally used for cyber espionage and retooled as a banking trojan.
“Anubis can completely hijack an Android mobile device, steal data, record phone calls, and even hold the device to ransom by encrypting the victim’s personal files. With mobile devices increasingly used in the corporate environment, thanks to the popularity of BYOD policies, this malware has the potential to cause serious harm, mostly to consumers, and businesses that allow the installation of unsigned applications.”
This malicious campaign presents users with an email that includes an attachment pretending to be an invoice. When the user opens the attachment, they’re shown a screen asking them to enable “Google Play Protect.” After clicking OK, however, that approval instead grants the app a number of secret, very bad approvals — while also, ironically, actually disabling the real Google Play Protect.
Other capabilities that are thus enabled include the ability to capture screenshots, change administration settings, record audio, steal contact lists and lock the device. As if that wasn’t enough, there’s also a ransomware component to this effort. A Cofense researcher told Ars Technica that a ransomware module can be added via this campaign and enabled remotely once an attacker has taken everything they want from the phone and decided to simply encrypt it for ransom.
Check the Cofense report here for a list of apps this campaign targets (it’s quite a long list). “Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise,” the report concludes.
“With the increased use of Android phones in business environments, it is important to defend against these threats by ensuring devices are kept current with the latest updates. Limiting app installations on corporate devices, as well as ensuring that applications are created by trusted developers on official marketplaces, can help in reducing the risk of infection as well.”