Based on ESET’s notice, Google has removed another
malicious app from its official Android app store. It had received
100,000-500,000 downloads since November 2016.
Unlike typical downloaders, ransomware and similar
nasty stuff, this app – named F11 – did not contain any harmful code. Instead,
it relied purely on social engineering, tricking users into paying €18 ($19)
for Adobe Flash Player.
Yes, Flash Player for Android, which has always
been available for free and which was discontinued back in 2012, amid wide
criticism of its security vulnerabilities.
“Factually,
this is a scam,” explains Lukáš Štefanko, ESET malware researcher who led the
investigation.
“Legally, the crooks behind this operation tried to
avoid the scam label. However, because of how they implemented their trick,
it’s safe to call it a scam.”
How the scam works
Once downloaded (the app’s takedown from Google
Play hasn’t disrupted the scam itself), the app displays a tutorial with
detailed instructions on how to download Flash Player. On that page, the user
is directed to PayPal to pay €18 to buy Flash Player.
“The authors
of this scam have gone a long way to make it appear as a legitimate business,”
highlights Štefanko. “For example, the app was listed in the educational
section of the Play store. However, the shopping basket at PayPal reveals the
true nature of the operation: the item in it is called Flash Player 11.”
This is exactly where the operation turns from an
aggressive practice of providing users with overpriced and unnecessary advice
to a pure scam of selling an item without having any right to do so. Only
Adobe, the maker of Flash Player and owner of all rights associated with it,
could officially sell it (if they haven’t made it available for free).
After the payment is made, the scam once again
pretends to provide “something” in exchange for the victim’s money. Along with
a link to a Flash Player installation tutorial – which is a set of several
obvious tips – victims are prompted to install Firefox or Dolphin browser. These
browsers support Flash Player by default as they contain the plugin for playing
Flash content.
“At the end of the whole operation, victims end up
being able to play Flash content on their devices,” explains Štefanko.
“However, it’s thanks to either browser the user chooses to install. In another
words, the user did not install what they had paid for. And – by the way – both
Firefox and Dolphin are free.
How to stay safe
ESET Mobile Security detects the malicious F11 app
as Android/FakeFlash.F and prevents it from getting installed.
Aside from advice to avoid suspicious apps, in this
particular case it must be noted that it’s a bad idea to have Flash Player
installed on an Android device. Because of its countless vulnerabilities, Flash
has proven to compromise any device’s security.
Those who want to have Flash installed at any cost
on their mobile device should follow the recommendations by Adobe security
experts requested by WeLiveSecurity:
Adobe strongly advises that users only install and
update the Flash Player via one of the following means:
·
By
downloading it from the Adobe Flash Player Download Center
at https://get.adobe.com/flashplayer/
·
By updating
it only via the update mechanism within a genuine installation of the Adobe
Flash Player that was installed via the Adobe Flash Player Download Center
·
By
installing/updating genuine versions the Adobe Flash Player installed with
Google Chrome for Windows, Macintosh, Linux and Chrome OS, and/or Adobe Flash
Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10
and 8.1
How to get your money back
Those who have fallen victim to the scam and made
the “purchase” via PayPal have a full 180 days to open a dispute in the
PayPal’s Resolution Center. We at WeLiveSecurity made the payment, will seek
the refund and will raise legal action with the goal of taking down the whole
scheme and bring those behind it to justice.