Security company ESET found that 30 malicious apps claiming to offer tips and cheats for popular gaming app Minecraft have been uploaded to Google Play in the last nine months, before subsequently being downloaded by up to 2.8 million Android users.
Google has since removed the rogue apps from the store.
“All of the discovered apps were fake in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a ‘dangerous virus’,” wrote malware researcher Lukas Stefanko in a blog post on We Live Security.
“Several of them were installed between 100,000 and 500,000 times and the total number of installations of all 33 scareware applications lies between 660,000 and 2,800,000,” he added.
Once downloaded, the apps trick users into believing they have a dangerous virus on their device. The app then sends an SMS claiming to be an anti-virus activation request, and if a user replies to the message they are signed up to a premium-rate SMS subscription costing €4.80 per week.
The apps were uploaded to the Play store by different developer accounts, but ESET believes they were all created by one person.
“It’s not easy to slip a malicious application into Google’s official Play Store these days,” noted Stefanko, thanks to Google’s automated application scanner, Bouncer, which helps in reducing the number of malware on the official app store.
However, some malicious apps can still make their way in.
Bouncer has been in place since 2011 and scans all uploaded applications, decreasing the percentage of malicious titles in the store by about 40 per cent.
In March 2015, Google announced that all applications will also be reviewed by humans. “This step should increase security and further lower the amount of malicious applications on Google Play,” said the researcher, who also recommends that users spend extra time to read reviews of an app and consider what permissions are requested during installation.
Comments