Here at Webroot, we are constantly on the lookout for malevolent Android apps. In most cases, you do something malicious with your app and you get marked accordingly, but it’s not always that simple.
Two weeks ago an app called “Virus Shield” popped up on the Google Play store. Within days, Virus Shield became Google Play’s #1 paid app. With thousands of reviews and a 4.7 star rating, who would question it? Well, a few people did, the code was looked at, and Google pulled it from the store. They have even gone as far as to make amends with those scammed in the process.
Here’s the app description previously seen on Virus Shield’s Google Play page:
Virus Shield is an Antivirus that protects you and your personal information from harmful viruses, malware, and spyware.
Improve the speed of your phone with just one click. This app was designed so that anyone can use and protect their phone.
- Prevents harmful apps from being installed on your device.
- Scans apps, settings, files, and media in real time
- Protects your personal information
- Strong antivirus signature detection
- Very low impact on battery life
- Runs in the background
- No, ZERO pesky advertisements
Too bad it doesn’t actually do any of these things. So what about the malicious things it does instead? Well, it doesn’t do anything malicious either. In fact, it has hardly any code at all.
Let’s take a step back to those reviews. How did an app get such a huge amount of good reviews in such a short period? I think that’s where the real deception was happening.
Here are some stipulations for writing reviews on Google Play:
- You must install an app to be able to review it.
- Reviews are tied to your Google Account.
- You can only review any app once per account.
I’m not clear on the exact process, but it seems the author created automation to use fake accounts to install the app, write a review, and then repeat the process continually in order to bust review ratings and download counts.
Suddenly, a no-name app has become Google Play’s top paid app. Other users now see it at the top of the charts, install it for themselves for $3.99, and the author makes a profit.
Although the app itself didn’t have malicious code, there was definitely malicious intent. For this reason, we’ve marked this app as Android.FakeApp in case it ends up on any other Android marketplaces.
It’s one thing to allegedly create an automated process that downloads and posts reviews, it’s altogether another, and far more complex but especially expensive activity, to “purchase” the app at $3.99 to be in a position to review the app.