{"id":88071,"date":"2019-09-09T17:40:30","date_gmt":"2019-09-09T12:10:30","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=88071"},"modified":"2019-09-24T19:26:55","modified_gmt":"2019-09-24T13:56:55","slug":"free-mobile-anti-virus-using-can-fake","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/free-mobile-anti-virus-using-can-fake\/","title":{"rendered":"The Free Mobile Anti-virus you are using can be a Fake!"},"content":{"rendered":"

Quick Heal Security Labs recently spotted multiple Fake <\/span><\/span>Antivirus <\/span><\/span><\/span>Apps on Google Play Store. What\u2019s more alarming, is that one of these fake AV Apps has been downloaded 100000+<\/strong> times already. These Apps appear to be genuine Anti-virus\/virus-removal Apps with names like<\/span><\/span> Virus Cleaner, Antivirus security,<\/span><\/span><\/span> etc., but do<\/span><\/span> no<\/span><\/span><\/span>t have any such functionality. As per our analysis, the main purpose of these Apps is to <\/span><\/span>show advertisements and increase <\/span><\/span><\/span>the download count.<\/span><\/span><\/p>\n

These Apps mimic the functionalities of a real Anti-virus App and have functions like \u201c<\/strong><\/span><\/span><\/span>Scan Device <\/i><\/span><\/span><\/span>for Viruses<\/i><\/span><\/span><\/strong>\u201d<\/strong>. <\/span><\/span>As per our analysis, these Apps don\u2019t have any AV engines or scan capabilities except a predefined list of App<\/span><\/span><\/span>s<\/span><\/span> marked as malicious or clean. This list appears to be static and we haven\u2019t seen it getting updated during our analysis. <\/span><\/span><\/span>These Fake AV Apps don\u2019t have any functionalities related to malware scanning or identifying any other security issues. These Apps only show a fake virus detection alert to the user and eventually show advertisements.<\/span><\/span><\/p>\n

\"\"Fig.1 – <\/span><\/em><\/strong>Fake Mobile AV & Virus Removal Apps<\/strong><\/em><\/h6>\n

The interesting part of these applications is that they detect themselves as High Risk Applications.<\/b><\/span><\/span><\/span><\/p>\n

\"\"Fig.2<\/em> – Fake Mobile AV App detecting itself as High Risk Application<\/span><\/em><\/strong><\/h6>\n

All these Fake AV Apps have common functionalities as mentioned below –<\/span><\/span><\/strong><\/span><\/p>\n

The Fake AV App contains predefined package lists, like <\/span><\/span><\/span>whiteList.json <\/b><\/span><\/span><\/span>with few whitelist package names<\/span><\/span><\/span>, blackListPackages.json <\/b><\/span><\/span><\/span>with few blacklist package names and<\/span><\/span><\/span> blackListActivities.json <\/b><\/span><\/span><\/span>with a list of blacklisted activities<\/span><\/span><\/span>. <\/b><\/span><\/span><\/span>This list is used for actual scanning and to show final scan results.<\/span><\/span><\/span><\/p>\n

\"\"Fig. 3 – Predefined static lists of Whitelisted, Blacklisted Apps and actions<\/em><\/span><\/strong><\/h6>\n
It also contains a list of predefined permissions and uses it to show risks associated with other Apps.<\/span><\/span><\/span><\/h6>\n
\"\"Fig. 4 – Predefined list of permissions\u00a0<\/em><\/span><\/strong><\/h6>\n

Following code snippet shows that it checks installed package names against the pre-defined static <\/span><\/span><\/span>Whitelists. Interestingly, this is the reason why it detects itself as <\/span><\/span><\/span>High-Risk Application<\/i><\/span><\/span><\/span> because its own package name is not present in <\/span><\/span><\/span>whitelist.json.<\/b><\/span><\/span><\/span><\/p>\n

\"\"Fig. 5 – Code to parse JSON file<\/em><\/strong><\/span><\/h6>\n
Here is the list of Fake AV Apps reported to Google by Quick Heal Security Labs. Google has removed these Apps from the Play Store now- <\/span><\/span><\/h6>\n

\"\"<\/p>\n

Fig. 6 – IOCs
\n<\/em><\/strong><\/span><\/h6>\n

Above applications disguise as “security<\/strong>” or “Antivirus<\/strong>” in their name and do nothing related to Security. As explained above, they work only on a pre-defined static Blacklist\/Whitelist of Apps and permissions. This might in-turn harm user\u2019s mobile because they don\u2019t have any capabilities to detect real malware and give a false impression of being protected to the end users. This static set of Blacklist\/Whitelist and absence of any update mechanism, confirms that these are Adwares disguised as an Anti-Virus or security related App. <\/span><\/span>The download count of these applications is alarming. This shows how easy it is for a malware author to entice end users into downloading junk Apps.<\/span><\/span><\/p>\n

Quick Heal Total Security for Mobile successfully detects these applications as –<\/span><\/span><\/span><\/p>\n

Android.Blacklister.A (PUP)<\/b><\/span><\/span> <\/b>and <\/span><\/span><\/span>Android.FakeAV.E (PUP).<\/b><\/span><\/span><\/span><\/span><\/p>\n

\n

While, anything that comes FREE might come across as a temptation for you to buy, remember that FREE can also be FAKE! <\/i><\/span><\/span><\/span>So, beware that you don\u2019t fall prey to the <\/i><\/span><\/span><\/span><\/strong>free security software available on Play Store. Go only for trusted brands like Quick Heal when it comes to guaranteed security of your device.<\/strong><\/i><\/span><\/span><\/span><\/span><\/p>\n<\/blockquote>\n

How to stay safe from fake mobile apps –<\/strong>
\n<\/span><\/p>\n

1. Check an app\u2019s description before you download it.<\/span><\/p>\n

2. Check the app developer\u2019s name and their website.If the name sounds strange or odd, you have all the reasons to suspect it.<\/span><\/p>\n

3. Go through the reviews and ratings of the app. But, note that these can also be faked.<\/span><\/p>\n

4. Avoid downloading apps from third-party app stores.<\/span><\/p>\n

5. Use a reliable mobile antivirus (like Quick Heal Total Security), that can prevent fake and malicious apps from getting installed on your phone.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Quick Heal Security Labs recently spotted multiple Fake Antivirus Apps on Google Play Store. What\u2019s more alarming, is that one of these fake AV Apps has been downloaded 100000+ times already. These Apps appear to be genuine Anti-virus\/virus-removal Apps with names like Virus Cleaner, Antivirus security, etc., but do not have any such functionality. As […]<\/p>\n","protected":false},"author":55,"featured_media":88107,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55,1653,24,354,5],"tags":[],"class_list":["post-88071","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","category-antivirus","category-malware","category-mobile-security-2","category-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88071"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=88071"}],"version-history":[{"count":20,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88071\/revisions"}],"predecessor-version":[{"id":88169,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88071\/revisions\/88169"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/88107"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=88071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=88071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=88071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}