new fake mobile security app identified by quick heal labs

fake mobile security app

There are 1.2 billion mobile phone users in India, with 95.01% using Android devices. These devices have become integral to our daily lives. With all this ensuring your Android phone has a security solution installed is essential. However, not all apps featuring “security” or “antivirus” in their name do what the name promises. Before installing a security solution, think twice, is it really a tool you can safely rely on?
Quick Heal Security Labs spotted a Fake Antivirus App hosted on the Google Play Store. What’s more alarming, is that this fake AV App has been downloaded 1Cr+ times already. This threat actor leverages as an Antivirus app to lure users to download and install these fake AV. Authors are leveraging this theme to lure users by misinforming them that this is an antivirus and free app.
In the below details, we will describe why it is fake. This App appears to be a genuine Anti-virus App with the name AntiVirus – Virus Cleaner. This app doesn’t have any such functionality. As per our analysis, the main purpose of this App is to show advertisements and increase the download count.
This App mimics the functionalities of a real Anti-virus App and has functions like “Scan Device and Application”. As per our analysis, this App don’t have any AV engines or scan capabilities except a predefined list of apps marked as malicious or clean. This list appears to be static and we haven’t seen it getting updated during our analysis. This App only shows a fake virus detection alert to the user and eventually shows advertisements. The app shows different icon after installation, than the icon used on Google play.

All About The Fake Mobile Security App

Fig 1. Different icons on Google Play and actual app icons.

Fig 2 – Welcome Screen of Antivirus That Shows Advertisement

Observations by Quick Heal Labs about this Fake Antivirus App:

  1. On Google Play, the app shows the year 2024, but after installation, it displays 2022. But when you click on the icon, it opens a screen resembling an antivirus interface.
  2. The interesting aspect of this application is that it labels every app as a Risky Application. Does more detection equate to a better antivirus? Instead of providing security, it displays ads and offers ineffective pseudo-security.
  3. Upon inspecting the app’s package files, suspicious JSON files were found in the “assets” subfolder, including “blackListActivities,” “permissions,” “whiteList,” and “whiteListReview.” Upon examining these files, we find that the whitelist includes popular apps such as Facebook, Instagram, LinkedIn, Skype, and others. The app also adds its own package name to the whitelist to avoid detection.
  4. In other instances, this app uses wildcards in its whitelist, with entries like “com.android.*”. Since malware often uses clean package names to deceive users, any malicious apps with these package names can bypass detection. The “blacklistActivities” file contains permissions deemed dangerous, marked with values 0 and 1, which are used to display scan results to the user.

Fig 3-Various permissions requested by the app, fake scanning dashboard and continuous ads

Fig.4 – Showing Almost Every Application As A Risky Application

The fake antivirus app stores a predefined list of packages in “whiteList.json” to whitelist certain apps, while sensitive permissions are stored in “blackListActivities.json.” The app checks installed packages against these lists and then displays the final scan results to the user.
The application in question disguises as an “antivirus” app, but as explained, it lacks the capability to detect real malware, giving users a false sense of security. It often flags legitimate apps as malicious, creating further confusion. This false sense of protection can expose users to actual threats from undetected malicious apps.
The use of a static blacklist/whitelist without any update mechanism confirms that this app is adware. The high download count is concerning and demonstrates how easily malware authors can trick users into downloading junk apps. Additionally, the app is not entirely free, offering a paid upgrade. If future updates include other types of malware, it could seriously harm users’ devices.

Some Of The Content Of The Files:

Fig.5 – Suspicious Files From The Package

Fig.6 – Contents From whitelist.json & blacklistactivities.json files

Fig.7 – Permission Scanning

Public Reviews After Downloading & Using The App

 

Despite having a 4-star rating, not all downloads are necessarily genuine. It is common practice for bots to generate fake downloads and post positive reviews, artificially boosting the app’s ratings.
Note: At the time of writing the blog the app is present on play.

How To Stay Safe From Fake Mobile Apps

1. Check an app’s description before you download it.
2. Check the app developer’s name and their website. If the name sounds strange or odd, you have all the reasons to suspect it.
3. Go through the reviews and ratings of the app. But, note that these can also be faked.
4. Avoid downloading apps from third-party app stores.
5. Use a reliable mobile antivirus (like Quick Heal Total Security for Android), that can prevent fake and malicious apps from getting installed on your phone.

Conclusion

While, anything that comes FREE might come across as a temptation to install, remember that FREE can also be FAKE! So, beware that you don’t fall prey to the free security software available on the Play Store. Go only for trusted brands like Quick Heal when it comes to guaranteed security of your device.

Avatar

The post “new fake mobile security app identified by quick heal labs” appeared first on Quick Heal Antivirus Blog

Source:Quick Heal Antivirus Blog – Quick Heal