X

Virus scanner -- or malware? Beware app store fakes

Scammers are taking advantage of unsuspecting folks like you who just want to keep their phones virus-free.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
fakeapp
Enlarge Image
fakeapp

Androids Antivirus is a fake app that was downloaded more than 3,500 times and filled with malware.

RiskIQ/CNET

In the wake of WannaCry, 27 different apps materialized promising to protect your phone from the global ransomware attack.

But wait: WannaCry, which ensnared more than 200,000 computers around the world, doesn't target phones. It used an exploit, discovered by the National Security Agency and leaked by hackers, that targeted outdated Windows systems.

Perhaps more alarming was that these apps were filled with malware -- executing the very attacks these apps promised to protect against. First discovered by McAfee in late May, the flood of fake WannaCry protection apps points to a growing trend of viruses masquerading as antivirus apps.

RiskIQ, a cybersecurity firm, found seven apps related to WannaCry in the Google Play store and two in Apple's App Store that demanded excessive permissions such as knowing your phone's wake password. One of the phony WannaCry apps is actually blacklisted by RiskIQ's standards because of the red flags it raised.

Researchers found hundreds of fraudulent antivirus apps on the market -- fakes packed with adware, Trojans and sources of malware.

"There has been a recent rise in fake WannaCry 'protectors,' apps that use fear and hysteria around the self-propagating ransomware to drive downloads, even though mobile systems are safe from its impact," a RiskIQ spokeswoman said.

It's another unsettling discovery among the many cyberthreats now hanging over our heads. With seemingly everyone and everything connected over the internet, we're all just one bad download or weak password away from a bad situation. In recent months alone, besides WannaCry, we've had to worry about malware in movie subtitles, Word docs and flash drives; breaches to a widely used password manager; and threats to the power grids make modern digital life possible.

Danger by the numbers

In this latest worrisome episode, out of 4,292 active antivirus apps, 525 set off malware alarms for RiskIQ. That means that more than one in 10 antivirus apps are traps waiting to push malware on your phone.

Of those 525 virus protectors that triggered blacklist hits, 55 were in the Google Play store, researchers said, and the remainder from third-party app stores. RiskIQ looked through 189 different app stores to find fake antiviruses.

"Google Play is one of the most reputable app stores in the world, so the fact that so many reside there shows the dangers facing mobile app consumers," said Forrest Gueterman, a security analyst for RiskIQ.

Google didn't respond to requests for comment.

RiskIQ said that with, for example, the "Androids Antivirus" app in the Mobiles24 app store, it discovered five different variants of malware written into its code, with fake alerts, Trojans and attacks on the Android operating system. It had been downloaded more than 3,500 times.

"Antivirus Malware Trojan" had more than 10,000 downloads before the Play Store removed it, Gueterman said.

On Saturday, a Medium post by app developer Johnny Lin detailed how scammers made $80,000 a month through a fake iOS app called "Mobile protection: Clean & Security VPN." It rose to the top 10 grossing productivity app before it was removed from the app store.

The phony app would scan your device's contacts and tell you your iPhone was at risk because it did not have a "Secure Internet." After installing it, Lin said, his phone displayed pop-ups for a bubble shooter game and a free antivirus trial, except that it was $99.99 for a seven-day subscription.

"I was one Touch ID away from a $400 A MONTH subscription to reroute all my internet traffic to a scammer," Lin wrote. It received more than 50,000 downloads before the app was taken down.

These apps are taking advantage of Apple's relatively new search ad functions, which has no filtering or approval process for ads, he said.

RiskIQ recommends giving all apps a careful read before downloading. The majority of fraud apps are "riddled with grammatical errors," the company said. They were rife throughout the phony iOS app that Lin discovered.

The free trial read, "ANTI VIRUS: Instantly use full of smart anti-virus."

Not so smart after all.

Correction, June 14 at 5 p.m. PT: This story misstated the number of virus protectors in the Google Play store that set off malware alarms for RiskIQ. Of the 525 virus protectors that triggered blacklist hits, 55 were in the Google Play store.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET.