Crucial Notification: Be Cautious of a Gratis Yet Fraudulent Mobile Security Application?

India has around 1.2 billion mobile phone users, with 95.01% utilizing Android gadgets. These devices have become crucial to our everyday routines. Ensuring that your Android phone is equipped with a security solution is imperative. Nevertheless, not all applications that boast “security” or “antivirus” in their title fulfill their promises. Prior to installing a security solution, ponder whether it is genuinely a tool you can depend on securely.
Quick Heal Security Labs identified a Bogus Antivirus Application hosted on the Google Play Store. What’s even more alarming is that this phony AV Application has already been downloaded over 1Cr+ times. This threat actor capitalizes on an Antivirus application to entice users into downloading and installing these counterfeit AV tools. The creators are exploiting this concept to tempt users by misleading them into believing that this is an antivirus and complimentary application.
In the subsequent sections, we will elaborate on why it is counterfeit. This Application seems to be a bona fide Anti-virus Application named AntiVirus – Virus Cleaner. However, this application does not possess any such features. According to our investigation, the primary purpose of this Application is to display advertisements and increment the download count.
This Application imitates the features of a genuine Anti-virus Application and includes functions such as “Examine Device and Applications”. Based on our assessment, this Application lacks any AV engines or scanning capabilities except for a predetermined list of applications labeled as malicious or clean. This list appears to be unchanging and we did not observe any updates during our evaluation. This Application merely presents a false virus detection alert to the user and eventually showcases advertisements. The app displays a different icon after installation compared to the icon used on Google Play.

All Aspects Regarding The Counterfeit Mobile Security Application

Figure 1. Distinct icons on Google Play Store and the actual app icons.

Figure 2 – Welcome Interface of the Antivirus Application that Presents Advertisements

Statements from Quick Heal Labs regarding this Sham Antivirus Application:

1. On the Google Play Store, the application displays the year 2024, but once installed, it reveals 2022. However, upon clicking the icon, it unveils a layout that closely resembles an antivirus interface.
2. An intriguing facet of this software is that it categorizes each application as a Potentially Harmful Application. Does more detection signify a superior antivirus? Instead of furnishing security, it exhibits ads and provides ineffective pseudo-security.
3. Upon scrutinizing the application’s package files, dubious JSON files were uncovered in the “assets” subdirectory, including “blackListActivities,” “permissions,” “whiteList,” and “whiteListReview.” Upon reviewing these files, it is evident that the whitelist incorporates prominent applications such as Facebook, Instagram, LinkedIn, Skype, and others. Additionally, the application adds its own package name to the whitelist to avoid detection.
4. In alternate scenarios, this application employs wildcards in its whitelist, with entries like “com.android.*”. As malicious software often adopts clean package names to deceive users, any malevolent applications using these package names can evade detection. The “blacklistActivities” file contains permissions categorized as perilous, denoted with values 0 and 1, which are utilized to present scanning outcomes to the user.

Figure 3 – Various permissions sought by the app, fraud scanning dashboard, and continuous ads

Figure 4 – Depicting Nearly Every App As A Potentially Harmful Application

The fraudulent antivirus application maintains a predetermined list of packages in “whiteList.json” to whitelist specific applications, while sensitive permissions are stored in “blackListActivities.json.” The application cross-references installed packages with these lists and then exhibits the final scan outcomes to the user.
This application masquerades as an “antivirus” application, yet, as mentioned, it lacks the ability to identify genuine malware, thereby giving users a deceptive sense of security. It frequently flags authentic apps as malicious, fostering additional ambiguity. This counterfeit security assurance can expose users to actual threats stemming from undetected malicious applications.
The usage of a stagnant blacklist/whitelist sans any update mechanism affirms that this application contains adware. The extensive download count is troubling and underscores how malware developers can effortlessly deceive users into fetching superfluous apps. Moreover, the application is not fully gratis, as it presents a paid enhancement. If forthcoming updates encompass other forms of malware, it could severely jeopardize users’ devices.

A Selection Of The Contents From The Files:

Figure 5 – Suspicious Files Extracted From The Package

Figure 6 – Contents Sourced From whitelist.json & blacklistactivities.json files

Fig.7 – Checking Permissions

Reviews from the Public After Downloading & Using The Application

Despite holding a 4-star rating, not all downloads are authentic. It is a common strategy for automated programs to produce counterfeit downloads and post favorable feedback, artificially enhancing the application’s ratings.
N.B.: The application is currently available on Play Store.

Ways To Secure Yourself From Counterfeit Mobile Applications

1. Examine an application’s description prior to downloading it.
2. Verify the application developer’s name and their official site. If the name seems unusual or peculiar, there are valid reasons to be suspicious.
3. Go over the reviews and ratings of the application. However, be aware that these can also be fabricated.
4. Refrain from downloading applications from unofficial app stores.
5. Utilize a dependable mobile antivirus (such as Quick Heal Total Security for Android), which can block fraudulent and harmful applications from being installed on your device.

Final Thoughts

While anything labeled as FREE might seem appealing to install, remember that FREE can also mean FRAUDULENT! So, be cautious not to become a victim of the free security software offered on the Play Store. Opt only for reputable names like Quick Heal for ensured security of your device.

Quick Heal

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts