ACG-CYBER SECURITY BULLETIN NO 140 UNDERSTANDING THE RISK OF FAKEAPP TROJANS MALWARE
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).
The information provided was classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
FakeApp malware are apps in mobile devices that trick users into downloading them by using legitimate companies or popular references. They may also pose as quirky and attractive apps, providing interesting services like live wallpapers or real-time spying tools. Once installed on a mobile device, fake apps can perform a variety of malicious routines. They can persistently push ads, track and report location and other sensitive information, or subscribe users to premium services without consent. These can all lead to loss of data and privacy and waste of device resources.
Cybercriminal, generating interest of the online public is easy by baiting users with apps that generate buzz in the mobile device-using world. Even from official sites, risks still abound in these app-distribution platforms, enough to prey on a trusting user.
FakeApp is a malware which downloads configuration files to display advertisements and collects information from the compromised device. This service is responsible for starting a spoofed Facebook login user interface to steal user credentials. FakeApp periodically displays this login screen until users enter their Facebook credentials.
The behavior of FakeApp is unique for Android malware, especially because no malicious activities are performed to directly monetize the malware. This fact perhaps means that the malware is a form of spyware that is currently establishing a database of compromised accounts to be used in further malicious operations.
The app is sourced from a third-party market and once installed, a spoofed Facebook login page appears requesting the user's login credentials and if submitted are stolen, the malicious app immediately hides itself from the home screen, while still running in the background. The App first checks to see if the device has a compromised Facebook account by submitting the International Mobile Equipment Identity (IMEI) to the command and control (C&C) server.
Once the credentials are properly captured, the app will log into the Facebook account and hide the screen by setting the display to be completely transparent. When logged in, the malware can scrape the personal data off the profiles of the victim, their family and friends.
Likewise, FakeApp displays shortcuts seen on the infected smartphone’s homepage. If the device is Android-based, the user will be asked to share the fake app on Facebook and rate the app in the Android market before accessing the game. At the same time, it was also capable of displaying ads using the mobile notification. Once tricked to do as instructed, the user will be directed to a countdown of the said app’s release instead of the actual game.
All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of FakeApp malware, to wit:
- Think before you download. Choose apps that will be useful to you;
- Be mindful of the download sites you go to for your apps. It is always best to go to official app stores for security;
- Always check for app details prior to your download. Reading on every tiny detail can aid you to weed out the fake or malicious apps;
- Never click on links with promises that are too good to be true. Read everything and carefully analyze permissions asked by apps you download;
- Always be in the know of security features installed on your mobile devices; and
- Invest and install an effective mobile security app.
For additional information, please refer to the following websites:
POINT OF CONTACT