Fake Prisma apps found on Google Play在谷歌Play应用程序发现假帖

Before the release of the Android version of Prisma, a popular photo transformation app, fake Prisma apps flooded the Google Play Store.

ESET researchers discovered fake Prisma apps of different types, including several dangerous trojan downloaders. The Google Play security team removed them from the official Android store at ESET’s notice. Prior to that point, Prisma copycats reached over 1.5 million downloads by fans.

Prisma is a unique photo editor released by Prisma labs, Inc. First released for iOS, it received excellent ratings among users on iTunes, the Apple app store. Android users were eager for it and many couldn’t wait to see it on Google Play where Prisma’s release was scheduled for July 24th, 2016.

As with many other popular apps on Google Play in the past, fake versions flooded the store before the official release date, riding the wave of user impatience.

Fake Prism apps’ functionality

Most of the fake Prisma apps found on Google Play didn’t have any photo editing functionality; instead they only displayed ads or fake surveys, luring users into providing their personal information or subscribing to bogus (and costly) SMS services. Some actually had very basic photo editing functionality but mainly served the user a stream of pop-up ads or displayed scareware activity to persuade the user the device was infected with malware.

Fake apps

Figure 1: Scareware activity displayed after launch

The most dangerous fake Prisma apps found on Google Play before the (genuine) Prisma app release were the trojan downloaders detected by ESET asAndroid/TrojanDownloader.Agent.GY. Contrary to their counterparts with their annoying ads and surveys, these trojans work behind the scenes hiding their icons from the device.

They would send device information to the C&C server and on request, download additional modules and execute them. When we replicated this infiltration, the trojan downloaded and executed an additional module stealing sensitive information such as phone number, operator name, country name, language and so on. However, downloaded modules may have had different functionality implemented.

Among the five trojan downloaders discovered on Google Play, two have phishing functionality implemented that could probably be executed via the downloaded module. Displaying a fake request to update the device’s operating system to Android 6.0, users are lured into entering their Google account credentials into the fake login form.

Figure 2: Phishing activity

Figure 2: Phishing activity

Text translated:

Для обновления вашего устройства необходимо авторизоваться!

Ваша версия Android:

Доступная версия: 6.0

“To update your device, you must login!
Your version of Android:
Available version: 6.0”

Один аккаунт. Весь мир Google!

Подождите, идет проверка…”

“One account. Google whole world!

Wait, there is a check…”

Because of their download capabilities, theAndroid/TrojanDownloader.Agent.GYfamily of malware poses a serious risk to more than 10,000 Android users who installed these dangerous apps before they were pulled from the Google Play store.

Figure 3: Trojans found on Google Play

Figure 3: Trojans found on Google Play

Just before the release …

Because of Prisma’s success on the iOS platform, it was clear that this app would be eagerly awaited by Android users. Such situations often attract bad guys who put out fake apps – either copycats or various derivatives, from tutorials to cheats – on Google Play to ride the wave of excitement. Using misleading icons, app names, developer’s names and/or fake reviews, they make money from displaying ads, fake clicks, money scams … or, at worst, ransomware, delivered to the victim via a downloader trojan.

In the past, we’ve witnessed a lot of cases of apps riding the wave of popularity on Google Play. The latest examples werefakes of the Pokémon Go app. Also GTA 5 fans were targeted byfake appsbefore the famous game’s official release, and the same pattern was observed in connection with the popular MSQRD app that arrived with numerous copycats on the Google Play store. Many other popular apps – such as My Talking Angela, Dubsmash or Subway Surfers – were preceded bycopycat porn clickers.

Conclusion

Trying to download a popular app before its official release is a really bad idea as the chances of downloading a genuine app is slim while the risk of downloading a malicious copycat is large. This is true, even from Google Play, with all of the tech giant’s security mechanisms behind it. For users it’s difficult to determine whether a given app is genuine or not. Bad guys often use very similar icons, app names, subscriptions and even screenshots to confuse users.

对新的Android版本发布之前,一个流行的照片转换程序,假钻应用淹没了谷歌Play商店。

ESET研究人员发现假钻的应用程序的不同类型,包括一些危险的木马下载器。谷歌游戏安全小组拆除他们在ESET的通知官方的Android应用商店。这一点之前,PRISMA模仿者达到超过150万下载的球迷。

棱镜的棱镜实验室发布了一个独特的图片编辑器,公司首次发布的iOS,它得到了很好的收视用户在iTunes中,苹果应用程序商店。Android用户渴望它和许多迫不及待想看到它在谷歌播放,PRISMA的发布定于7月24日TH,2016。

与许多其他流行的应用程序在谷歌打了过去,假版本充斥着商店的正式发布日期之前,用户不耐烦骑波。

假棱镜应用程序的功能

大多数的假钻的应用程序发现在谷歌播放没有任何照片编辑功能;相反,他们只显示广告或假冒调查,诱骗用户提供自己的个人信息或订阅伪造的(昂贵的)短信服务。有些却很基本的照片编辑功能,主要是用户流的弹出式广告或显示恐吓活动说服用户设备被恶意软件感染。

Fake apps

图1:显示恐吓活动推出后

最危险的假钻的应用程序发现在谷歌播放前的(真正的)钻APP发布检测ESET的木马下载者Android / trojandownloader.agent.gy。相反,他们的同行和烦人的广告和调查,这些木马后面的工作从设备隐藏图标的场景。

他们将设备信息的C&C服务器和请求,下载额外的模块和执行。当我们复制这个浸润,木马下载并执行一个额外的模块,窃取敏感信息,如电话号码、运营商名称、国家名称、语言等。然而,下载模块可能有不同的功能实现。

五木马下载者在谷歌Play中发现,两个钓鱼功能的实现,可以通过下载模块。更新设备的操作系统Android 6显示一个虚假的请求,用户被引诱到他们的谷歌帐户凭据进入虚假的登录表单。

Figure 2: Phishing activity

图2:钓鱼活动

文本翻译:

更新您的设备需要重新登录,才能!

你的版本的Android:

可获得的版本:6.0

“更新你的设备,你必须登录!
你的Android版本:
可用的版本6.0”:

一个帐户。谷歌的整个世界!

等一等,去查…”

“一个账户。谷歌的整个世界!

等待,有一种检查…”

因为他们的下载功能,Android / trojandownloader.agent.gy家族的恶意软件造成的超过10000的Android用户安装了这些危险的应用程序之前,他们是从谷歌Play商店拉严重风险。

Figure 3: Trojans found on Google Play

图3:木马发现在谷歌播放

就在释放…

由于棱镜的成功在iOS平台上,很明显,这个程序可以通过Android用户期待已久的。这种情况常常吸引坏人把假的应用程序–要么模仿或各种衍生物,从教程秘籍–谷歌玩骑兴奋波。使用误导性的图标,应用程序名称,开发商的名称和/或虚假评论,他们从显示广告,虚假点击赚钱,钱诈骗…或者,在最坏的情况下,勒索,通过下载器木马传送到受害者。

在过去,我们已经目睹了很多例应用普及浪潮骑在谷歌播放。最新的例子fakes之博爱去应用程序。also GTA 5球迷were targeted by假的应用程序著名游戏的正式发布之前,和同样的模式是与流行的msqrd应用在谷歌Play商店众多模仿者到连接观察。许多流行的应用程序–如我说安吉拉,dubsmash或地铁冲浪者–之前模仿色情答题器

结论

尝试下载一个流行的应用程序在其官方发布,真是一个坏主意为下载正版APP是苗条而下载一个恶意模仿大风险的机会。这是真的,甚至从谷歌播放,所有的科技巨头的安全机制的背后。用户很难确定是否一个给定的应用程序是真正的或不。坏人经常使用非常相似的图标,应用程序名称,订阅甚至截图来迷惑用户。

Figure 4: Example of a fake app (right) mimicking the original (left)

图4:一个虚假的应用实例(右)模仿原(左)

专家建议:由ESET

遵循“Android应用卫生最基本的规则”:

  • 只从有信誉的来源下载
  • 查看用户评论和负面评论的焦点(记住,积极的人会制作)
  • 阅读程序的条款和条件,注重权限
  • 使用高质量的移动安全解决方案

当周围有你想要的APP炒作,然后还要考虑以下建议:

  • 也许,你会面对模仿者随着原程序,比平常更加小心
  • 彻底检查应用程序的名称和开发商的名称–必须完全适合,不仅像你所期待的