Around two million users of Android devices have installed the FalseGuide malware from the Google Play Store, unknowingly entering their phones into the Botnet.
Cybersecurity officials at Check Point discovered the malware was hiding inside over 40 guide apps connected with well-known games such as Pokemon Go and FIFA mobile.
The malware was then publically referred to as “FalseGuide,” infecting devices after users install these guide apps.
Fake Guide
Check Point first notified Google of the FalseGuide malware in February, and it was immediately removed from the Google Play Store.
However, it seems that the creators of the malware have been persistent, uploading more applications in the beginning of April.
During that time, Check Point notified Google of the FalseGuide malware and it was again removed.
Experts initially believed that FalseGuide had affected more than 600,000 users but the number at present is now two million.
Download and Installation
Malware typically infects a device when users install an app they don’t suspect to be malicious.
This is not the first time that malware has been downloaded from the Google PlayStore.
The latest malware FalseGuide tries to produce Android botnets, to deliver fake mobile adware.
After installation, FalseGuide sent a permission request to the user. If they accept, the malware is then registered with some Firebase topic connected with cloud messaging with a name similar to that of the app.
These are cross-platform services that allow the developer to send a notification or a message to the user.
FalseGuide can then get messages containing links to other modules and download them on the infected smart device.
The attackers can also link to other malware and install them on the infected phone as well, for displaying fraud pop-ups and ads to generate revenue.
Hidden Malicious Feature
Malware like FalseGuide is able to enter Google Play Store, as the malicious characteristic of the app is hidden.
It is only obvious when the app gets downloaded and obtains the permission of the user for issuing malicious instructions.
The creators of FalseGuide malware are using it to bring in fraudulent ads. However, the malware is also capable of receiving any other instruction module from the commanding or controlling server.
The instructions could ask the botnet to root the device or conduct DDoS attacks and even enter private networks.
Russian Origin
There are rumors that FalseGuide originated from Russia, as it was submitted under the names of Sergei Vernik and another Russian developer Nikolai Zalupkin.
But researchers have debunked some of the rumors, stating that the latter name is fake.
Using Game Guides
Most developers of such malware make use of game guides, as these are very popular among players.
The apps also don’t need many features or other development requirements, so the creators of the malware can affect and infect more devices with minimum effort.
The popular game guides used have been for Super Mario, Lego City My City, Drift Zone 2, Criminal Case, Subway Surfers and several others.
Botnet Lives On
A Google spokesperson has stated that the company is making regular enhancements to the system and takes immediate action whenever notified about questionable apps and malware like FalseGuide.
This particular malware has now been eliminated from the Google Play Store, but there is a possibility that this botnet will continue to survive, due to the large number of installations.
There is also no possibility of recalling such malicious apps.