- Researchers find hundreds of fake apps that turn into gambling and lottery apps when installed.
- The apps hide their “switch” in the API, so they are able to pass Apple’s and Google’s reviews.
- While they are not undoubtedly malicious, their C2 server communications are suspicious.
Trend Micro researchers have discovered hundreds of fake apps for the iOS and Android, which feature wrong descriptions, violate the App Store and Google Play policies, and are devoted to gambling. Some of these apps even found their way up to top 100 lists without Apple and Google realizing their true nature and removing them from their official package repositories. This is yet another alarming case that clearly highlights the risks of downloading and installing anything you see on the official app store, as Apple and Google show an inability to review these apps with adequate scrutiny.
Even more worryingly, Trend Micro claims that these hundreds of apps are somehow related. They demonstrate the same suspicious behavior, with an ability to transform into gambling apps, which is a heavily restricted category, and also subject to even stricter app store policies. The apps are available on gambling websites too, so people may still find them and download them onto their devices. This, however, will require the activation of untrusted sources which is a safety step that may save some. In quite a few cases though, the researchers noticed that the download button on the websites redirected to the App Store, so many of these apps somehow passed the required reviews.
Some of the apps that Trend Micro exposes in their report are:
- グロ一バルホリデ一情報— 28元の登録
- No Hit
- Simon Color Match
- Classic Poems
- Employee attendance tracker
The explanation for how this happened lies in the fact that these apps weren’t originally distributed as gambling apps. Instead, they pretend to be weather apps, wine review apps, newsreader apps, etc. Their descriptions match their features, and so they are taking the required permissions to enter the app stores. The “switch” that gets activated later on is hidden inside the app’s API, which isn’t apparent during the review process. Of course, Trend Micro has sent the list with the malicious apps to Google and Apple, and both companies responded immediately by removing them from their respective app stores.
Does this mean that if you’re using one of these fake apps you should remove them? While some may think that there’s no reason to delete the gambling apps from their device, we should point out that there are shady communications between the app and their C2 server infrastructure going on, and they are Base64 encoded. If that is ok with you, then go ahead and keep them on your device.