Scammers seem to be using a new technique to dupe Android victims into believing an app on Google Play is safe and trustworthy - bogus download numbers. Apart from the app’s icon and name, users typically take a quick look at the developer name to verify if the application is made by a trusted, well-established name.
Now, some malicious app authors have been fraudulently setting significantly high number of installs as their developer names in an attempt to look like established developers catering to a vast user base.
ESET security researcher Lukas Stefanko discovered hundreds of apps leveraging this trick among others to lure Android users into downloading apps that have little to no functionality, but bombard users with many advertisements.
“The freedom to set any number of choice as developer name has inspired some remarkably ambitious claims – one game developer, for instance, would like users to believe his games have been installed more than five billion times,” Stefanko writes in a blog post. He notes that some of the highest-ranking apps with “1,000,000,000+” installs include notable names such as Google Play, Gmail, Facebook, Whatsapp and Skype among others.
Still, some cases have the malicious app authors change their names to “5,000,000,000+” to trick victims into believing their creations are extremely popular. In one case, the developer changed his name from the fake installations number to a an actual legitimate developer name to push the popularity of his fake apps, and pushing the popularity of the fake apps published by him. The developer initially used the name "1,000,000,000” before changing it to “DIVID APPS” (as seen below).
Image credit: WeLiveSecurity
“Besides using fake installation numbers to attempt to manipulate users into downloading their apps, some app authors have also been using phrases indicating legitimacy, such as ‘Legit Apps’, ‘Verified Applications’, and ‘Trusted Developers App’,” Lukas noted. “Some also incorporate a check mark symbol, similar to those used as “verified” badges for the accounts of well-known personalities and brands on various social media sites.”
"As Google Play does not offer a developer account verification service, any app sporting such a tag should necessarily be considered suspicious," Stefanko said.
Although these tricks may seem to be simple, they can be an effective way to mislead users who usually depend on popularity and number of installs to verify the veracity of an app before downloading it.
“While none of these apps were outright malicious, these techniques could easily be misused by malware authors in the future,” Stefanko added To determine the legitimacy of apps before downloading them, he suggests users check for the Editor’s Choice badge in the top-right corner of the app’s Google Play page. Users should also check user reviews and remember that the installation count are only visible in the “Additional Information” section at the bottom of the page.