Mobile Menace Monday: Fake WannaCry Scanner

With all the buzz around the PC ransomware WannaCry, it’s no surprise that a fake antivirus (FakeAV) has emerged on Google Play.  Entitled WannaCry Ransomware Protector for Android, the bold claim it makes is right in its name.  So how do we know this claim is false? Simple, there is no WannaCry Ransomware for mobile — at least not at the time of this writing. Furthermore, the fact that Google Play has already pulled it from the store supports our case.

To see this FakeAV in action, click through the slideshow below:

As you can see, there isn’t much to it. After running a fake scan, it gains revenue through advertisements and through installs of more apps. Note that the apps shown to install are legitimate and found on Google Play. Other than making a false claim about protecting against the WannaCry ransomware, the app is harmless.

What’s In a Name

Currently (at the time of this writing), there are two other apps on Google Play from the same developers that do exactly the same thing as WannaCry Ransomware Protector for Android, Mobile Security Antivirus 2017, and AMDF Anti-Virus 2017. Because these apps are not blatantly misrepresenting what they can do, we do not feel the need to classify these two — nor do other vendors. As for WannaCry Ransomware Protector for Android, we found the claim just too bold to not classify — so we as Android/PUP.Riskware.FakeAV.wacry. What can we say, sometimes it’s all in a name.


Nathan Collier

Full time mobile malware researcher, part time endurance athlete and world traveler. As nerdy about traveling as he is about mobile malware.