Friday, April 19, 2024

Android Malware on Google Play with 2 Million Installs Steal Sensitive Data

More than two million Android users have been tricked into installing a set of malicious, phishing, and advertising apps via the Google Play store.

Dr. Web antivirus discovered that these apps were disguised as essential utilities and system optimizer tools. But, in reality, these apps are not utility tools, as they are malware disguised as legitimate apps as we hinted earlier.

The TubeBox app is exemplified by Dr. Web as one of the apps that have reached one million downloads in the Google Play Store in a short amount of time.

App in play store

However, at the moment this app has been removed from the Google Play Store. While there seemed to be a noticeable rise in the number of banking trojans and apps that permit users to be spied on.

Watching videos and ads on TubeBox provides users with the opportunity to earn money. But, when it came to redeeming the rewards collected by the user, it presented various errors, as if the system had failed to deliver on its promises.

Ads Displayed

Other Adware Apps Detected

Here below we have mentioned the other adware apps that were detected by the antivirus company, Dr. Web:-

  1. App name: Bluetooth device auto-connect
  2. Publisher: bt auto-connect group
  3. Downloads: 1,000,000 downloads
  1. App name: Bluetooth & Wi-Fi & USB driver
  2. Publisher: simple things for everyone)
  3. Downloads: 100,000 downloads
  1. App name: Volume, Music Equalizer
  2. Publisher: bt autoconnect group)
  3. Downloads: 50,000 downloads
  1. App name: Fast Cleaner & Cooling Master
  2. Publisher: Hippo VPN LLC
  3. Downloads: 500 downloads

In order to load the websites that are specified by the threat actors in these commands, these malicious apps receive commands from Firebase Cloud Messaging. As a result, on infected devices, all these malicious apps generate deceitful ad impressions in an attempt to make monetary gains.

Interestingly, one of the remote operators was even able to configure an infected device to act as a proxy server in the case of Fast Cleaner & Cooling Master, which had a low number of downloads. 

This enables threat actors to direct their illicit traffic via devices that are infected, and this complete mechanism is accomplished with the help of the proxy server that was created by the threat actors.

Loan Scam Apps

A set of loan scam applications was also discovered by Dr. Web, claiming to be affiliated with the following organizations:-

  • Russian banks
  • Investment groups

The average number of downloads on Google Play for each of the apps was 10,000. Here below we have mentioned the names of some of those apps:-

  • Против санкций всей страной (The entire country against sanctions)
  • Дарим 10 акций бесплатно (We grand 10 free shares)
  • Заработайте уже во время обучения (Earn while you still learning)
  • Я дам вам 100 000 USD, если вы не станете миллионером за 6 месяцев (I will give you 100 000 USD if you are not a millionaire in 6 months)
Ads Displayed by app

As a result of malvertizing advertisements in other apps, these apps were marketed as investment apps that were supposed to offer guaranteed profits. As a matter of fact, the apps redirect users to phishing websites that collect personal information from them.


You should always check the following things when downloading apps from Google Play to protect yourself from downloading malicious apps:-

  • Always check for negative reviews.
  • Make sure to scrutinize the privacy policy.
  • Evaluate the authenticity of the developer by visiting the developer’s site.
  • Make sure that your device has a minimum number of apps installed on it.
  • The Play Protect feature of Google’s Play Store must be enabled in order for it to function properly.

Managed DDoS Attack Protection for Applications – Download Free Guide


Latest articles

Alert! Windows LPE Zero-day Exploit Advertised on Hacker Forums

A new zero-day Local Privilege Escalation (LPE) exploit has been put up for sale...

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles