Bogus hack apps hack users back for cryptocash

Recently, we discovered a gold…er…APK mine of fake hacking apps. The “legitimate” versions of hack apps are intended to hack other apps in order to get something for free. Although it’s unclear what exactly these fake apps claim to hack, the real hack job is done to unsuspecting users.

Search and you will find

Disclaimer:  I, and Malwarebytes, do not recommend the process I’m about to outline below. Be that as it may, I’m also not naïve and know people do this all the time. In order to demonstrate the pitfalls of such an approach, I’ll lay it all out for you.

Say you want a hack for a particular app. Obviously, you aren’t going to find such a hack on Google Play. So you fire up your favorite search engine and type in something like hack apk. In this example, let’s use Lyft hack apk—Lyft being, of course, the popular on-demand transportation company. There, right at the top of the results, is the link to the hack app you desire. You decide to play it safe and navigate to the source domain rather than the direct link to the hack app. It’s a clean but simply looking website called androidapk.world.

Convinced that such a clean-looking site has to be legitimate, you proceed to the Lyft hack app.

Complete with app screenshots, description of the app (stolen from Google Play), a FAQ, and a How to Install section, it looks promising. There is even a long list of tags so it can be easily searched—which is how you navigated there in the first place. You roll the dice and click Download APK…

A bad roll of the dice

After install, you open the app and get a message that states you need to install one of three apps listed to unlock premium content.

At this point, I suspect that a seasoned user would conclude that the jig is up and rush to uninstall, but let’s just play this out anyway. The first link for Castle Clash redirects you to the legit Google Play version of the game—okay, easy enough.  The second link for Final Fantasy XV redirects to a broken link—fail. The third and final link for AppMatch Survey redirects to a dreaded, but harmless survey that ends in, once again, installing an app from Google Play.

Besides the failed link, all the redirects equal a small payout to the evil doers if an app is installed. Thus the “run it for 30 seconds” disclaimer pop-up.

After installing said app, and still no hack app and/or premium content, you should be ready to uninstall this bogus hack job. Good luck finding the app’s shortcut icon though, because it doesn’t exist. Luckily, it’s not too hard to find in your apps list.

In reality, I’m a little disappointed and confused that the malware developers didn’t hide their efforts more thoroughly. But hey, it’s good news if you did unsuspectingly install it. Hopefully if you did install, you go through the steps to uninstall in leu of the missing shortcut. However, there is going to be small percentage that don’t bother and forget about its existence—which is exactly what the bad actors are “banking” on. (Pun intended. Wait for it…)

Oh, mine!

So far, the attempts to dupe users seem bush league. Meanwhile, the true malicious intent has been running in the background all along. During the entire process of clicking through redirect links, the user may notice their mobile device being a tad slow. That’s because a bitcoin miner has been running the whole time. Under the Java class com.coinhiveminer.CoinHive is a Monero JavaScript miner. Thus, we classify this bogus hack app as Android/Trojan.CoinMiner.kki.

In the scenario above, I’m not sure how anything is being hacked from the aforementioned Lyft Hack app. As a matter of fact, this should be the first clue something is fishy. As with anything in life, use your best judgment when installing apps onto your mobile device. Consequently, installing an app from a shady app store, even if it does look legit, could cost you. Stay safe out there!