Android App Devs Find Clever Trick for Fooling Users Into Installing Their Crapware

[steven36]

An expert in Android security is warning users that some developers of crappy Android apps have come up with a new trick for fooling users into installing their apps.

 

 

The trick relies on app devs registering Google Play Store developer accounts that mimic install counts, instead of their real name, such as "1 million installs," Installs 1,000,000," "100,000,000 Downloads," "5,000,000+," "1,000,000,000" and other similar formats.

The idea is that the official Google Play Store lists an app entry by displaying the app's icon, name, developer name, and a star rating.

Sneaky devs creating a fake sense of safety

By replacing the developer name with a faux install count, some developers are trying to fool users into thinking the app is extremely popular, and hence, somewhat safe to use.

But in reality, they are not. According to ESET malware researcher Lukas Stefanko, most of the apps using this trick that he analyzed were mostly adware. The majority were just empty shells, with little to no functionality except for showing ads on top of other apps or the user's screen.

 

 

Quote

 

How to make your app popular:

1) Upload app with developer name: 1,000,000,000
2) Get installs
3) Change developer namehttps://t.co/55gBixSOKp pic.twitter.com/AWF7wtCSQc

— Lukas Stefanko (@LukasStefanko) June 11, 2018

 

 

 

Quote

 

How easy it is to make user believe apps are highly downloaded(popular) and probably worth of trying.
These are not number of app installs, these are developer names. pic.twitter.com/VfE6tfHn2v

— Lukas Stefanko (@LukasStefanko) May 28, 2018

 

 

Crooks are faking app icons too

Furthermore, Stefanko also noticed another similar trick employed by some malicious app developers.

While they didn't use developer accounts with misleading names that contained install counts, some app devs put the fake install counts in the app's icon that shows up in Play Store search results.

This misleading image is intended to work the same way as the fake install counts inserted in the dev's account name and give users a false sense of confidence for apps that are clearly ill-intended.

"The tricks are simple, yet potentially effective, ways to mislead users, particularly those who choose apps based on popularity," Stefanko explains. "While none of these apps were outright malicious, these techniques could easily be misused by malware authors in the future. Fortunately, the tricks are also simple to spot, if you know what to focus on."

 

Things to keep in mind when installing an app:

Quote

⇶  Google embeds official information in special fields on the app's Play Store page. It does not use images to do so.
⇶  Google's real install count numbers are visible in the "Additional Information" section at the bottom of each app's Play Store page.
⇶  If Google-based install count is small, yet the developer claims otherwise, the app is clearly malicious.
⇶  Google Play does not have a "Verified" badge, so don't believe what app developers may claim in their app icon. Furthermore, don't believe anything app devs put in their icons.
⇶  Always read user reviews before downloading any app.

Source

[Crazycanuk]

Moved from the "Security & Privacy News" forum