Android users downloading cheat apps for popular games Pou and Subway Surfers have been getting more than they planned for, with security vendor ESET revealing that fake cheat apps have bypassed Google Play security and been installed more than 200,000 times in a month.
ESET says the fake apps pose as popular game cheats, such as Cheats for Pou, Guide for SubWay and Cheats for SubWay. The app ‘aggressively’ displays adverts every 30-40 minutes, disrupting normal use of the Android devices.
The apps, detected as Android/AdDisplay.Cheastom by ESET, deploy a number of techniques to evade detection by Google’s Bouncer technology which is supposed to prevent malicious apps from entering the Google Play store.
The security vendor says the apps also contain self-preservation code to make their removal more complicated.
Lukas Stefanko, ESET malware researcher, says the ad-displaying apps attempt to hide their functionality from security researchers by deploying techniques which succeeded and saw the apps being downloaded more than 200,000 times in a single month.
“The anti-Bouncer technique used by these apps obtains the IP address of a device and accesses its WHOIS record,” Stefanko says.
“If the information returned contains the string ‘Google’ then the app assumes it is running in Bouncer. Should the app detect an emulator or Google Bouncer environment, the ads are not displayed. Instead, the app will simply provide game cheats, as expected.”
When users realise the apps are exhibiting 'very unusual behaviour' and try to uninstall them, they find it 'far from easy' ESET says. The apps will ask users to activate the device's administrator rights, making it difficult to remove the AdDisplay threat.
ESET software will remove the threat, otherwise it needs to be done manually.
ESET says after deactivating device administrator, applications can be uninstalled by going to Settings, selecting Apps/Application manager and then selecting the offending app.
After ESET notified Google of the apps, they were removed from the Google Play store.
Stefanko says while it’s good Google has removed the apps ‘it is clear that more attempts will be made to bypass Bouncer and spread apps containing undesirable code’.