Google Play has had its share of malware problems in the past. Google is usually pretty good about removing these apps quickly once they are notified though. Wrap your malware in an enticing enough package, and it can spread like wildfire before it’s discovered. The latest malware to hit Google Play comes in the form of what discoverers are calling FalseGuide. FalseGuide disguises itself as, you’ve probably already guessed, a game guide, though after installation its motives are far less helpful.
This malware is wrapped into guides for popular games like Pokémon GO and FIFA Mobile. Once installed, the app will ask for admin permissions, which should throw up all kinds of red flags immediately, though the app’s target audience may not recognize the problems that may cause. Admin privileges allow — among other things — for the app to prevent the user from uninstalling it. Once those permissions have been given, the app registers itself on Firebase Cloud Messaging, which allows it to send and receive messages with additional malware modules and instructions. This is how the apps circumvent Google Play’s security, because the app itself isn’t malicious until it is downloaded and given admin privileges.
So far, FalseGuide has only been a nuisance, displaying pop-up ads in an attempt to make money from views and clicks, but the possibilities from this type of malware are quite bad. Your phone could be sent instructions to root itself, or spy on your private wireless networks, or group together with a bunch of its infected brethren to perform a DDoS attack. Random pop-ups on your screen are annoying, but the possibilities could be much worse.
CyberSecurity researchers at Check Point discovered the malware and notified Google in February, at which time the offending apps were removed. However new apps were discovered in April, which have now also been removed. The damage has likely already been done though, as the most popular of these guide apps was downloaded over 50,000 times, and it’s estimated that at least 600,000 devices could have been compromised via this method.
The offending apps may have been removed from the Play Store, but it’s likely that they’re still running strong on more than a few devices out there. Take this as yet another reminder to pay close attention to the permissions requested by the apps you download. And seriously, just go to gamefaqs or something.