An estimated 2 million Android users have now fallen victim to malware mistakenly downloaded from Google Play, which was initially reported to have affected approximately 600,000 users.
The malware, dubbed FalseGuide, was hidden in more than 40 guide apps for games, the oldest of which was uploaded to Google Play as early as November last year, security researchers from Check Point said.
“Since April 24, when the article below was first published, Check Point researchers learned that the FalseGuide attack is far more extensive than originally understood,” Check Point said.
“The apps were uploaded to the app store as early as November 2016, meaning they hid successfully for five months, accumulating an astounding number of downloads.”
The security firm said it found five additional apps containing the malware on Google Play, developed by “Анатолий Хмеленко” — translated as Anatoly Khmelenko — since it made its findings public.
The malware was hidden in fake companion guide applications for popular games including Pokémon Go and FIFA Mobile, and Check Point initially reported that several of these fake guides had been downloaded more than 50,000 times. It creates a silent botnet out of the infected devices for adware purposes.
Once downloaded onto a device, FalseGuide requests device admin permission, which the malware uses to ensure the app cannot be deleted by the user — an activity that usually suggests the app is likely to be malicious.
The malware then registers itself to a Firebase Cloud Messaging topic — a cross-platform service that allows developers to send notifications and messages — which has the same name as the app. Once subscribed to the topic, Check Point said FalseGuide can receive messages containing links to additional modules and download them to the infected device.
“Depending on the attackers’ objectives, these modules can contain highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks,” the security firm wrote earlier this week.
Check Point believes the malicious apps are of Russian origin as the first batch were submitted under the Russian names of two fake developers, Sergei Vernik and Nikolai Zalupkin.