Researchers discover AdultSwine Malware hiding on 60 Gaming Apps on Google Play

Check Point Researchers have revealed a new and nasty malicious code on Google Play Store that hides itself inside roughly 60 game apps, several of which are intended used by children. According to Google Play’s data, the apps have been downloaded between 3 million and 7 million times.

Dubbed ‘AdultSwine’, these malicious apps wreak havoc in three possible ways:

1. Displaying ads from the web that are often highly inappropriate and pornographic.

2. Attempting to trick users into installing fake ‘security apps’.

3. Inducing users to register to premium services at the user’s expense.

In addition, the malicious code can move laterally within the infrastructure of the phone, opening the door for other attacks such as user credential theft.

How It Works
Once the infected app is installed on the device, it waits for a boot to occur or for a user to unlock their screen in order to initiate the attack. The attacker then selects which of the above three actions to take and then display on the device owner’s screen.

Inappropriate and Pornographic Ads
The most shocking element of this malware is its ability to cause pornographic ads (from the attacker’s library) to pop up without warning on the screen over the legitimate game app being displayed.

Scareware – Deceptive App Install Tactics
Another course of action the malware pursues is scaring users into installing unnecessary and possibly harmful “security” apps.

First, the malware displays a misleading ad claiming a virus has infected the user’s device.

Upon selecting the ‘Remove Virus Now’ call to action, the user is directed to another app in the Google Play Store posing as a virus removal solution.

The “virus removal solution” is anything but – it’s another malware.

Registering To Premium Services
Another technique used by the malicious malware is registering to premium services and charging the victim’s account for fraudulent premium services they did not request. In a similar way to the scareware tactic presented above, the malware initially displays a pop-up ad, which attempts to persuade the user to register for this service.

This time however, the ad claims that the user is entitled to win an iPhone by simply answering four short questions. Should the user answer them, the page informs the user that he has been successful, and asks him to enter his phone number to receive the prize. Once entered, the ad itself then uses this number to register to premium services.


Leave a Reply

%d bloggers like this: