Security researchers have discovered several apps on Google Play that use social engineering techniques to increase their ratings. While some apps are legitimate, a disturbing number harbour malware and adware.
The researchers at ESET found that among the falsely high-ranking apps, a hostile ad-displaying trojan was spotted, installed by up to 5000 users as a tool to download content from YouTube. The app, detected by ESET as Android/Hiddad.BZ, uses several deceptive methods to fool users into installing its intrusive ad-displaying component and, at the same time, secure a good rating in the store.
Gaining a good rating in the App Store means the app gets placed higher in searches thus boosting the number of times it gets downloaded. These apps beg users for high ratings through nag screens and displays ads and makes promises of removing them in exchange for a five-star rating.
However, such promises are false, according to Eset malware researcher Lukas Stefanko. He said that there is no way for developers to connect users to specific reviews and thus no way to “reward” the ones that leave five stars.
“On top of that, reward or no reward, apps that promise users anything in exchange for high ratings are against the Google Play Developer Policy,” he added.
He pointed to research by the company the technique appears to be working with several apps on Google Play each having over 800,000 installs.
“A prime example of this is the fake game Subway Sonic Surf Jump, which requires users to rate it with five stars in order to proceed to the fictitious game, while displaying ad after ad. This leaves the app, installed by up to 500,000 users, with a 4.1 average rating and an ambiguous mix of five star ratings followed by angry ‘only-because-I'm-forced-to' reviews,” he said.
While this is an annoyance for users downloading an app that clearly isn't as good as the ratings suggest, more ominously are the apps using the same techniques to get downloaded and then infect users' devices.
The threat detected as Android/Hiddad.BZ was found on Google Play in seven versions, each named as a slightly different variations of “Tube.Mate” and “Snaptube”. Once installed, all seven applications appear as “Music Mania” under the user's apps.
“They work in the same way, too: their functionality of downloading content from YouTube is combined with one of a dropper,” said Stefanko.
The malware shows a fake system screen requiring installation of “plugin android” and overlaying the screen until enabled. The user is also prompted to activate device administrator rights for the fake “plugin” by yet another non-cancellable screen.
The user is then bombarded with ads and asked to rate the app to remove these ads. However, Stefanko said that cancelling the message will result in an even greater flood of ads shown on the user's device, aiming to provoke the user into rating the app next time the prompt is displayed.
Ondrej Kubovic, security evangelist at ESET, told SC Media UK that online user reviews are known to have a significant effect on user decisions. For malware authors, being able to manipulate the ratings of their malicious app potentially means being able to infect more unsuspecting users.
“As for the motivation behind malware, the majority of cyber-criminals are after money – whether it means gaining money through adware, like with this Trojan, or through more serious threats, like banking malware, ransomware, etc,” he said.
Javvad Malik, security advocate at AlienVault, told SC that while Google has improved its process to validate apps in its store, the fact is that criminals will always try to find creative ways around it.
“While Google definitely has a role to play, users should also be wary of the apps they download and the permissions that these apps request. Similarly, organisations need to take into consideration the risks and define controls accordingly. Which, for sensitive systems, can include blocking apps altogether,” he said.