Important Alert: Beware Of A Free But Fake Mobile Security App?

There are 1.2 billion mobile phone users in India, with 95.01% using Android devices. These devices have become integral to our daily lives. With all this ensuring your Android phone has a security solution installed is essential. However, not all apps featuring “security” or “antivirus” in their name do what the name promises. Before installing a security solution, think twice, is it really a tool you can safely rely on?

Quick Heal Security Labs spotted a Fake Antivirus App hosted on the Google Play Store. What’s more alarming, is that this fake AV App has been downloaded 1Cr+ times already. This threat actor leverages as an Antivirus app to lure users to download and install these fake AV. Authors are leveraging this theme to lure users by misinforming them that this is an antivirus and free app.
In the below details, we will describe why it is fake. This App appears to be a genuine Anti-virus App with the name AntiVirus – Virus Cleaner. This app doesn’t have any such functionality. As per our analysis, the main purpose of this App is to show advertisements and increase the download count

This App mimics the functionalities of a real Anti-virus App and has functions like “Scan Device and Application”. As per our analysis, this App don’t have any AV engines or scan capabilities except a predefined list of apps marked as malicious or clean. This list appears to be static and we haven’t seen it getting updated during our analysis. This App only shows a fake virus detection alert to the user and eventually shows advertisements. The app shows different icon after installation, than the icon used on Google play.

Observations about this Fake Antivirus App:

1. On Google Play, the app shows the year 2024, but after installation, it displays 2022. But when you click on the icon, it opens a screen resembling an antivirus interface.
2. The interesting aspect of this application is that it labels every app as a Risky Application. Does more detection equate to a better antivirus? Instead of providing security, it displays ads and offers ineffective pseudo-security.
3. Upon inspecting the app’s package files, suspicious JSON files were found in the “assets” subfolder, including “blackListActivities,” “permissions,” “whiteList,” and “whiteListReview.” Upon examining these files, we find that the whitelist includes popular apps such as Facebook, Instagram, LinkedIn, Skype, and others. The app also adds its own package name to the whitelist to avoid detection.
4. In other instances, this app uses wildcards in its whitelist, with entries like “com.android.*”. Since malware often uses clean package names to deceive users, any malicious apps with these package names can bypass detection. The “blacklistActivities” file contains permissions deemed dangerous, marked with values 0 and 1, which are used to display scan results to the user.

The fake antivirus app stores a predefined list of packages in “whiteList.json” to whitelist certain apps, while sensitive permissions are stored in “blackListActivities.json.” The app checks installed packages against these lists and then displays the final scan results to the user.

The application in question disguises as an “antivirus” app, but as explained, it lacks the capability to detect real malware, giving users a false sense of security. It often flags legitimate apps as malicious, creating further confusion. This false sense of protection can expose users to actual threats from undetected malicious apps.

The use of a static blacklist/whitelist without any update mechanism confirms that this app is adware. The high download count is concerning and demonstrates how easily malware authors can trick users into downloading junk apps. Additionally, the app is not entirely free, offering a paid upgrade. If future updates include other types of malware, it could seriously harm users’ devices.

Despite having a 4-star rating, not all downloads are necessarily genuine. It is common practice for bots to generate fake downloads and post positive reviews, artificially boosting the app’s ratings.
Note: At the time of writing the blog the app is present on play.

How To Stay Safe From Fake Mobile Apps

1. Check an app’s description before you download it.
2. Check the app developer’s name and their website. If the name sounds strange or odd, you have all the reasons to suspect it.
3. Go through the reviews and ratings of the app. But, note that these can also be faked.
4. Avoid downloading apps from third-party app stores.
5. Use a reliable mobile antivirus (like Quick Heal Total Security for Android), that can prevent fake and malicious apps from getting installed on your phone.