Hi Guys,

A new set of malicious apps have bypassed Google security measures and have been available for download on the Google Play Store. This time, these apps are posing as security scanner apps. 

Who could be affected?
Anyone who uses the Google Play Store could install one of these fake apps. However, Cybersecurity company McAfee, who were one of the first to discover this new set of fake apps, believe they were targeting users in the US, Brazil and Spain. But it may not be long before more countries are added to that list.

What do the fake apps do?
Once installed, these malicious security scanner apps strongly request you update your Chrome, Whatsapp or PDF reader to their latest versions, ‘for your security’.  However, when you update these apps according to their instructions, they don’t update at all. Instead, the fake security app takes control of your device. And, any app that has control of your device can access any of the information on it. Your device and data are immediately compromised.

How do they work?
McAfee researchers said that the malware “combines full device control capabilities with the ability to display phishing webpages that steal banking credentials in addition to abilities that allow it capture screen lock credentials (PIN, Password or Pattern), capture keystrokes (keylogger functionality), and record the screen of the infected device to monitor a user’s actions without their consent,”
“By stealing the PIN, Password or Pattern, combined with the ability to record the screen, click on any button and intercept anything that is entered in an editable field, malware authors can virtually get any data they want, including banking credentials via phishing web pages or even directly from the apps themselves, while also hiding all these actions from the user.”

BRATA Malware
These fake apps are using a malware known as BRATA, which we have mentioned before in other tips.  Initially discovered by Kaspersky back in 2019, the malware abuses a device’s accessibility services and basically takes over the device and even has screen recording capabilities. Many banking trojans evolved from this malware. This will not be the last we see of BRATA, new and improved versions are being developed all the time.

In one of the latest versions, the malware can disable the Play Store app which, in turn, disables Play Protect feature. This further  reduces the security layers in place, prior to downloading an app.

How to protect yourself:
So far, only one of the names of these apps has been released. It was called DefenseScreen and it has already been removed from the Google Play Store. Unfortunately, we don’t have a list of the other names to give you, these have not been made available to us as of yet.  But, you can follow a number of steps to reduce your risk when downloading new apps.

Checklist for Downloading Apps:

  • Check how long the developer has been distributing in the app store?More than 6 months as a minimum baseline as usually Google will have spotted them by then.
  • Check how many installs do they have? The more the better, in the millions is best.
  • Look at the reviews and see how many they have? The more the better, but note in some cases fake apps can have hundreds of fake reviews.
  • What is their average rating? The higher the better, but at least a 4-star.
  • Do an Internet search to see if anything negative comes up.
  • Choose a reputable, well-known and verified vendors
  • Check independent test institutes for recommendations.

Most of all, stay vigilant. Check up on every app you install on your device. A thoughtless click of a button could have your device, your data and your finances compromised in seconds. Think before you install. 

All the best,
Max Roberts.