Adware masquerading as Samsung app enjoyed over 10m downloads
Threats / Adware masquerading as genuine Samsung app downloaded by over 10m users
4 July 2019
A fake app on the Google Play Store that offered free and paid firmware updates for their Samsung devices was downloaded by over ten million Samsung device users before being spotted by a security researcher. The app is still live on the Play Store.
According to Aleksejs Kuprins, malware analyst at the CSIS Security Group who spotted the fake adware, the app uses all the techniques required to appear genuine to users and not only offers free firmware upgrades for Samsung devices, but also offers paid annual subscriptions for firmware upgrades.
Named “Updates for Samsung”, the app features news and Android tutorials from a website called updato.com and offers a number of firmware updates for Samsung devices on its “Download Firmware” section. Users are either given the option of downloading a firmware for free or to opt for a paid annual subscription that allows them to download firmware at greater Internet speeds.
Fake Samsung app offered paid subscriptions for firmware updates
However, the app’s credentials as a genuine one gets caught out when users attempt to download firmware for free. The Internet speed for free firmware updates is capped at 56Kbps, which means that it will take up to four hours for a user to download a 700MB package.
Kuprins noted that even if a user allows the firmware to be installed at snail’s pace, the download never gets completed and gets timed out or fails after a period of time. In the meantime, the app continues to play a series of advertisements pending the installation of a firmware package.
Users are then encouraged to opt for “Fast downloads through paid premium packages” to download firmware at a quicker pace. The app charges $34.99 and upwards for these packages and also offers SIM card unlocking for any network operator at prices starting at $19.99.
“Although not malicious in the traditional meaning of that term “Updates for Samsung” does not seem to offer users much of value besides a lighter wallet and as such highlights the risks of ignoring the fine print.
“We recommend users to follow Samsung’s designed procedure for downloading firmware updates. That is, by opening the “Settings” application on your Android device and navigating to the “About phone” -> “Software Update” menu,” Kuprins added.
A large number of people who downloaded the app from the Google Play Store have also criticised the app for being a dud and playing ads nonstop. “This app is a lie. Install if you love getting 70 ads at once, because that’s all it does. No it doesn’t let you update. Neither does it let you upgrade. All it does is spam your screen with many ads, EVEN PORN ADS!” wrote a user.
“This is garbage. It’s just news and ads. It doesn’t help update anything,” wrote another. Published by Updato, the app is yet to be removed from the Google Play Store, maybe because it doesn’t use Samsung’s logo or because it doesn’t expressly claim to be a genuine Samsung app.
Malicious developers exploiting the Google Play Store to target users with adware
This isn’t the first time that malicious developers have used fake and fraudulent apps to gain millions of downloads and used these apps to install adware, spyware, and malware on devices on which such apps were installed.
In January this year, ESET security researcher Lukas Stefanko found as many as fifteen ‘adware apps’ that masqueraded as GPS navigation apps and enjoyed over 50 million downloads on the Google Play Store. These apps used images stolen from genuine apps to appear legitimate, did not offer any real value to users aside from opening Google Maps or using the Google Maps API, and only displayed advertisements to those who downloaded them.
In the same month, security researchers at Trend Micro found dozens of fake beauty apps on the Google Play Store that had no real functionality of their own but played advertisements on users’ devices, stole photos of app users, and redirected users to malicious phishing websites that asked for their personal information.
These apps also hid their icons from application lists in Android devices so that users could not delete them post installation. Some of these apps also used packers to ensure they could not be analyzed. Trend Micro noted that the remote server, with which these photo filter-related apps communicated, was encoded with BASE64 twice in the code and the same technique was used by the apps to hide themselves as well.