Fake Prisma apps found on Google Play在谷歌Play应用程序发现假帖

Before the release of the Android version of Prisma, a popular photo transformation app, fake Prisma apps flooded the Google Play Store.

ESET researchers discovered fake Prisma apps of different types, including several dangerous trojan downloaders. The Google Play security team removed them from the official Android store at ESET’s notice. Prior to that point, Prisma copycats reached over 1.5 million downloads by fans.

Prisma is a unique photo editor released by Prisma labs, Inc. First released for iOS, it received excellent ratings among users on iTunes, the Apple app store. Android users were eager for it and many couldn’t wait to see it on Google Play where Prisma’s release was scheduled for July 24th, 2016.

As with many other popular apps on Google Play in the past, fake versions flooded the store before the official release date, riding the wave of user impatience.

Fake Prism apps’ functionality

Most of the fake Prisma apps found on Google Play didn’t have any photo editing functionality; instead they only displayed ads or fake surveys, luring users into providing their personal information or subscribing to bogus (and costly) SMS services. Some actually had very basic photo editing functionality but mainly served the user a stream of pop-up ads or displayed scareware activity to persuade the user the device was infected with malware.

Fake apps

Figure 1: Scareware activity displayed after launch

The most dangerous fake Prisma apps found on Google Play before the (genuine) Prisma app release were the trojan downloaders detected by ESET asAndroid/TrojanDownloader.Agent.GY. Contrary to their counterparts with their annoying ads and surveys, these trojans work behind the scenes hiding their icons from the device.

They would send device information to the C&C server and on request, download additional modules and execute them. When we replicated this infiltration, the trojan downloaded and executed an additional module stealing sensitive information such as phone number, operator name, country name, language and so on. However, downloaded modules may have had different functionality implemented.

Among the five trojan downloaders discovered on Google Play, two have phishing functionality implemented that could probably be executed via the downloaded module. Displaying a fake request to update the device’s operating system to Android 6.0, users are lured into entering their Google account credentials into the fake login form.

Figure 2: Phishing activity

Figure 2: Phishing activity

Text translated:

Для обновления вашего устройства необходимо авторизоваться!

Ваша версия Android:

Доступная версия: 6.0

“To update your device, you must login!
Your version of Android:
Available version: 6.0”

Один аккаунт. Весь мир Google!

Подождите, идет проверка…”

“One account. Google whole world!

Wait, there is a check…”

Because of their download capabilities, theAndroid/TrojanDownloader.Agent.GYfamily of malware poses a serious risk to more than 10,000 Android users who installed these dangerous apps before they were pulled from the Google Play store.

Figure 3: Trojans found on Google Play

Figure 3: Trojans found on Google Play

Just before the release …

Because of Prisma’s success on the iOS platform, it was clear that this app would be eagerly awaited by Android users. Such situations often attract bad guys who put out fake apps – either copycats or various derivatives, from tutorials to cheats – on Google Play to ride the wave of excitement. Using misleading icons, app names, developer’s names and/or fake reviews, they make money from displaying ads, fake clicks, money scams … or, at worst, ransomware, delivered to the victim via a downloader trojan.

In the past, we’ve witnessed a lot of cases of apps riding the wave of popularity on Google Play. The latest examples werefakes of the Pokémon Go app. Also GTA 5 fans were targeted byfake appsbefore the famous game’s official release, and the same pattern was observed in connection with the popular MSQRD app that arrived with numerous copycats on the Google Play store. Many other popular apps – such as My Talking Angela, Dubsmash or Subway Surfers – were preceded bycopycat porn clickers.


Trying to download a popular app before its official release is a really bad idea as the chances of downloading a genuine app is slim while the risk of downloading a malicious copycat is large. This is true, even from Google Play, with all of the tech giant’s security mechanisms behind it. For users it’s difficult to determine whether a given app is genuine or not. Bad guys often use very similar icons, app names, subscriptions and even screenshots to confuse users.







Fake apps


最危险的假钻的应用程序发现在谷歌播放前的(真正的)钻APP发布检测ESET的木马下载者Android / trojandownloader.agent.gy。相反,他们的同行和烦人的广告和调查,这些木马后面的工作从设备隐藏图标的场景。


五木马下载者在谷歌Play中发现,两个钓鱼功能的实现,可以通过下载模块。更新设备的操作系统Android 6显示一个虚假的请求,用户被引诱到他们的谷歌帐户凭据进入虚假的登录表单。

Figure 2: Phishing activity











因为他们的下载功能,Android / trojandownloader.agent.gy家族的恶意软件造成的超过10000的Android用户安装了这些危险的应用程序之前,他们是从谷歌Play商店拉严重风险。

Figure 3: Trojans found on Google Play




在过去,我们已经目睹了很多例应用普及浪潮骑在谷歌播放。最新的例子fakes之博爱去应用程序。also GTA 5球迷were targeted by假的应用程序著名游戏的正式发布之前,和同样的模式是与流行的msqrd应用在谷歌Play商店众多模仿者到连接观察。许多流行的应用程序–如我说安吉拉,dubsmash或地铁冲浪者–之前模仿色情答题器



Figure 4: Example of a fake app (right) mimicking the original (left)




  • 只从有信誉的来源下载
  • 查看用户评论和负面评论的焦点(记住,积极的人会制作)
  • 阅读程序的条款和条件,注重权限
  • 使用高质量的移动安全解决方案


  • 也许,你会面对模仿者随着原程序,比平常更加小心
  • 彻底检查应用程序的名称和开发商的名称–必须完全适合,不仅像你所期待的