Android malware is a problem that the operating system of Google has been facing practically since its inception. Almost always this malware reaches users through unofficial application stores. However, that is not always the case. As it is not the first time nor will it be the last one that hackers evade the security systems of The Play Store and use it to distribute malware such as the new FalseGuide threat.
A few hours ago, the security company CheckPoint echoed the new malware FalseGuide, a malware that had slipped into the PlayStore. It posed as guides for more than 40 applications with certain prestige like Pokémon Go or FIFA Mobile, for example, and was infecting thousands of users around the world.
This malware has been posted in the Google App Store for more than 5 months since November 2016. Adding more and more victim everyday and now these victims are part of a botnet.
Hackers behind this threat opted to use “game guides” for two reasons. The first is that they are very basic and simple applications, so no one wastes time creating them. Instead they focus all their efforts on malware development and hiding it to evade the security measures of the Play Store. Secondly, these applications are very popular and are widespread, so the numbers of potential victims are very high.
The thing that we cannot explain is how Google can be so radical to block some OpenSource applications that it does not like and so permissive with other applications that hides malware inside.
More than 2 million users infected by FalseGuide are now part of a botnet
As soon as the threat was discovered, the number of users infected by this malware was believed to be 600,000. However, an in-depth analysis discovered many other applications published in the Play Store, bringing the number of infected users to more than 2 million.
As we have said, the main purpose of this malware is to create a network of zombie devices, botnet, that are used mainly for advertising purposes. This way the hackers send adware to the infected devices that, little by little, are generating their income. This malware does just that and at no time is a security risk.
In the following link CheckPoint we have the complete list of the applications infected by this malware. All these applications called for a special permit, administrative permission in the devices, which should raise the first suspicion that there is something hidden in these applications. Once they are granted this permission, then they use techniques to hide their presence and not raise more suspicion. From there it is registered in Firebase Cloud Messaging through which it receives malicious links to download modules and continue with the infection.
Once completed, the malware starts to show advertisements on infected devices but depending on the type of device and its permissions (for example, whether it is root or not) can also be used to perform DDoS attacks or take control of networks Private partnerships.
How to remove FalseGuide?
Fortunately, no evidence of persistence from this malware has been detected. Hence, in most cases disabling the administrative permissions of the application and eliminating it would probably work. However, for greater security it is advisable to reset the device to factory settings to ensure that everything has been properly removed.
In addition, if it has root permissions or in case the malware has become a system application then it is advisable to format the “system” partition of the device and reinstall the ROM of the Android device from scratch.