Mobile Menace Monday is a bi-monthly entry to the Malwarebytes Labs wherein our Android OS security experts highlight the specific dangers of certain apps for today's adaptable and heavily connected users. Expect mentions of bad apps, feedback to Android news, and some practical mobile security wisdom.
Every once in a while, a fake antivirus pops up on the Google Play store. Most of the time, it’s just a fake scanner that doesn’t detect anything because it doesn’t actually look for anything to detect. Show a scan that simply lists all the apps on your device and it’s pretty easy to look legit. They serve up some ads for revenue, and you are given the false sense your phone isn’t infected—kind of a win-win unless you actually want malicious apps to be detected/removed.
These apps are often ignored by real AV scanners because, technically, they aren’t doing anything malicious. It’s only when malicious intent is found that these apps are classified as bad.
With a clean design and look, Antivirus Free 2016 could very easily be confused for a legitimate AV scanner.
[gallery type="slideshow" ids="14542,14543,14544,14545"]
Looking deeper though, one would see its true intent.
To start, Antivirus Free 2016 is given permission to read, write, send, and receive SMS messages. It isn’t usual for an AV scanner to have receive SMS permission; but to read, write, or send SMS is another story. Unfortunately, any code that deals with SMS has been obfuscated/removed from being seen. The app’s receiver and service names, such as com.xxx.message.service.receiver.SmsReceiver, com.xxx.message.service.receiver.MmsReceiver, and com.xxx.message.service.RespondService, containing these codes raises enough suspicion on their own.
What isn't hidden in the code is the use of a complex decryption algorithm used to hide a URL and a string named "remotePackageName". This could possibly be used to download and install other apps onto the device.
According to our records, Antivirus Free 2016 is seen in the Google Play Store between August 14th to the 31st of this year, but has been removed since. Because of its extensive malicious intent, we have classified it as Android/Trojan.FakeAV.
The act of using a fake Antivirus product to infect customers is far from a new trick. Still, it’s scary to think that a product that is meant to protect you can be the one doing the most damage. Make sure to do your research while picking a good AV product, like choosing a product backed by an award-winning blog, such as Malwarebytes Labs (Yes, I'm shameless).
Be safe out there!