"FalseGuide" malware infected by 2 million people from legitimate Google Play, currently in progress in the form of damage

"Pokemon GO (Pokémon GO)Malware that can display illegal advertisements and hijack a terminal in the guide application that explains the strategy of popular applications such as "FalseGuideIt was revealed that it was charged. This FalseGuide-loaded malware-included application was downloaded from the legitimate Google Play Store, and it is estimated that 2 million people will be victims.

FalseGuide misleads users on GooglePlay | Check Point Blog
http://blog.checkpoint.com/2017/04/24/falaseguide-misleads-users-googleplay/

Beware! New Android Malware Infected 2 Million Google Play Store Users
http://thehackernews.com/2017/04/android-malware-playstore.html

Checkpoint researchers of security measures found that malware "FalseGuide" is loaded in over 40 types of guide applications registered in the Google Play store. Although it is an application with FalseGuide that was supposed to be downloaded to 600 thousands of terminals in February 2017, according to a subsequent check of Check Point, the oldest one was registered in the Google Play Store in November 2016 , It was registered in a condition that it can be downloaded for about five months until April 2017 without seeing wrongs, and it turned out that more than 2 million people were damaged.

Applications containing FalseGuide will prompt for administrator privileges during installation, and if you agree to this, will prevent users from deleting applications. After that, the malware registered the terminal in the cross platform service "Firebase Cloud Messaging" for the application developer to send the message. An attacker sends a linked message to the terminal, installs it, displays incorrect pop-up advertisement, and obtains advertisement income.


The damage found at the moment has been limited to the display of illegal pop-up advertisements, but FalseGuide is technically an infected terminalBotnetCheck Point warns that it is possible to organize, completely hijack a terminal, or intrude into a private network.

According to Check Point, the first app that included FalseGuide was registered as a Russian name of Sergei Vernik and Nikolai Zalupkin. Many of the apps containing FalseGuide that we know so far are Russian titles, but some of them are "Guide or FIFA Mobile", "Guide for LEGO City My City", "Guide for Pokemon GO", "Guide For FIFA 17" There are also English titles such as "Guide for Shadow fight 3 and 2" There are also popular guide applications downloaded up to 500,000 times.


Check Point notified Google about FalseGuide as of February 2017 and said that the target application was deleted from the Google Play Store as soon as possible after the notification. However, even after the application is deleted from the Google Play Store, there are still active applications on the user's terminal, and the damage is still considered to continue.

Check Point estimates the reason why FalseGuide targets guide applications for malware as "because it is popular with applications." Also, unlike apps from major application makers such as games, guide applications can be developed with even a small veteran, so it is also a cobblestone, there may be aspects where it is easy for users to make a mistake in selecting applications. Either way, from the fact that the malware-included application was mixed also in the regular Google Play store, at the time of downloading and installing the application, it is necessary to investigate beforehand whether the application is reliable before installing it, The user side seems to be required to respond.