Tuesday, July 16, 2024

Android Malware on Google Play with 2 Million Installs Steal Sensitive Data

More than two million Android users have been tricked into installing a set of malicious, phishing, and advertising apps via the Google Play store.

Dr. Web antivirus discovered that these apps were disguised as essential utilities and system optimizer tools. But, in reality, these apps are not utility tools, as they are malware disguised as legitimate apps as we hinted earlier.

The TubeBox app is exemplified by Dr. Web as one of the apps that have reached one million downloads in the Google Play Store in a short amount of time.

App in play store

However, at the moment this app has been removed from the Google Play Store. While there seemed to be a noticeable rise in the number of banking trojans and apps that permit users to be spied on.

Watching videos and ads on TubeBox provides users with the opportunity to earn money. But, when it came to redeeming the rewards collected by the user, it presented various errors, as if the system had failed to deliver on its promises.

Ads Displayed

Other Adware Apps Detected

Here below we have mentioned the other adware apps that were detected by the antivirus company, Dr. Web:-

  1. App name: Bluetooth device auto-connect
  2. Publisher: bt auto-connect group
  3. Downloads: 1,000,000 downloads
  1. App name: Bluetooth & Wi-Fi & USB driver
  2. Publisher: simple things for everyone)
  3. Downloads: 100,000 downloads
  1. App name: Volume, Music Equalizer
  2. Publisher: bt autoconnect group)
  3. Downloads: 50,000 downloads
  1. App name: Fast Cleaner & Cooling Master
  2. Publisher: Hippo VPN LLC
  3. Downloads: 500 downloads

In order to load the websites that are specified by the threat actors in these commands, these malicious apps receive commands from Firebase Cloud Messaging. As a result, on infected devices, all these malicious apps generate deceitful ad impressions in an attempt to make monetary gains.

Interestingly, one of the remote operators was even able to configure an infected device to act as a proxy server in the case of Fast Cleaner & Cooling Master, which had a low number of downloads. 

This enables threat actors to direct their illicit traffic via devices that are infected, and this complete mechanism is accomplished with the help of the proxy server that was created by the threat actors.

Loan Scam Apps

A set of loan scam applications was also discovered by Dr. Web, claiming to be affiliated with the following organizations:-

  • Russian banks
  • Investment groups

The average number of downloads on Google Play for each of the apps was 10,000. Here below we have mentioned the names of some of those apps:-

  • Против санкций всей страной (The entire country against sanctions)
  • Дарим 10 акций бесплатно (We grand 10 free shares)
  • Заработайте уже во время обучения (Earn while you still learning)
  • Я дам вам 100 000 USD, если вы не станете миллионером за 6 месяцев (I will give you 100 000 USD if you are not a millionaire in 6 months)
Ads Displayed by app

As a result of malvertizing advertisements in other apps, these apps were marketed as investment apps that were supposed to offer guaranteed profits. As a matter of fact, the apps redirect users to phishing websites that collect personal information from them.


You should always check the following things when downloading apps from Google Play to protect yourself from downloading malicious apps:-

  • Always check for negative reviews.
  • Make sure to scrutinize the privacy policy.
  • Evaluate the authenticity of the developer by visiting the developer’s site.
  • Make sure that your device has a minimum number of apps installed on it.
  • The Play Protect feature of Google’s Play Store must be enabled in order for it to function properly.

Managed DDoS Attack Protection for Applications – Download Free Guide


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles