FireEye mobile security researchers recently uncovered, and notified Google and Amazon to take down, a series of anti-virus and security configuration apps that were nothing more than scams. Written easily by a thieving developer with just a few hundred lines of code then covered with a facade of images and progress bars, the seemingly useful apps for Android’s operating environment charge for installation and upgrade but do nothing. In other words, placebo applications. Fortunately all the applications have been removed from the Google Play store due to our discovery.
Up to 50,000 downloads in some cases, these fake apps highlight how cybercriminals are exploiting the security concerns consumers have about the Android platform. In this case, we found five (!) fake antivirus apps that do nothing other than take a security-conscious user’s money, leaves them unprotected from mobile threats, and earns a criminal thousands of dollars for little work.
Uploaded by a developer named Mina Adib, the paid versions of the apps were available for Google Play customers outside the US and UK, while users in the UK and US could choose the free versions with in-app upgrade options. Also available in third party markets such as appbrain.com and amazon.com, the fraudulent apps ranged in price from free to $3.99. The applications included:
Taking full advantage of the legacy, signature-based approach mobile antivirus apps have adopted, that makes it hard for a user to tell if it really is working, total charges for these “security” apps ran into the thousands of US dollars in the Google Play store alone. This old security model puts users relying on such applications at risk, either because it incites them to download apps that simply don’t have functionality – as we see in this case – or they don’t provide adequate protection against today’s threats. Ultimately, users simply cannot tell when they are protected.
1. Anti-Hacker (com.minaadib.antihacker) Free
This application claims to protect mobile devices from hackers. But, as with all of these apps, it’s a scam not capable of scanning the phone at all. Although there is a “Scan Now” button in the middle of the layout, it only shows a superficial progress bar when the user presses the button, which, after a few seconds of running, a toast message of "Your Android is clean" is shown.
The picture below shows the main interface of the application.
The following code is executed when the user clicks the “Scan Now” button.
As shown in the code, nothing happens when the button is clicked. Then the toast message of “You Android is clean” is shown as in the onDismiss() method.
The same trick is used when software is being updated which does nothing. When the Update button is clicked, a progress bar appears with text “Updating the Database...”. Later it’s changed to “ Database updated Successfully”.
2. Anti-Hacker PLUS (com.minaadib.antihackerplus) Price $3.99
Fig. 4 and 5 show the paid version of the application com.minaadib.antihacker. The source code of the application is almost the same as the free version, meaning the application doesn’t perform scanning either. When the user presses the Scan button, the application displays the progress bar for some time and then shows the same notification stating the device is “clean.”
The paid version does add one “feature,” however. It offers the ability to kill running apps and tasks, which, in reality, is just a line of code that waits one second after being activated before popping up a toast notification saying it has killed all tasks. You can see this lack of useful functionality in the code below:
3.JU AntiVirus Pro (com.minaadib.juantiviruspro) Price $2.99
This application claims to be an antivirus application that detects malware, however, it actually follow the same patterns as the two scam apps above. It simply shows a progress bar for period of time as though it is doing something and then displays “Device is clean.” The source code of the “scan” button is similar to the applications above.
The image and the source code below show that the Scan button is a fake.
4. Me Web Secure (com.minaadib.mewebsecurefree) Free
This application is a slightly different security tool, offering configuration settings for things like browsing and cookies. Just as the apps above, these are no more than superficial layouts on empty code. Cleverly, the developer disabled some of the options in the free version so users feel compelled to pay to enable them.
5. Me Web Secure Pro (com.minaadib.mewebsecure) Price $1.99
Similar to its free version counterpart – com.minaadib.mewebsecurefree – this application shows security and network configuration screens that are simply UI layouts. As stated above, the disabled options in the free version are enabled in the paid version of the application, but no fake source code was even written to fake the existence of those features being implemented.
In the image below, the app shows it’s performing configurations when the “ON” button is pressed.
The image below is the code path when the ON button is clicked. It is a progress bar of 5 seconds only for visual purposes. No configuration is performed by the application.