Around 20 million activity-tracking apps have been downloaded from the Google Play Store, according to software company Dr.Web (via BleepingComputer). What draws Android users to these three tracking applications so much? They advertise themselves as pedometers and health trackers that encourage you to exercise by promising to pay out cash rewards to those who meet specific targets.
They are still listed in the Google Play Store
According to the study from Dr.Web, these prizes are frequently impossible to obtain because users must accrue a significant number of awards before being required to view a huge number of ads in order to cash out. Users were instructed to watch more advertisements after they had already seen all of them in order to “speed up” the rewards process. “The applications did not check any of the payment-related data submitted by users, therefore the chances of obtaining any of the money promised from these apps are extremely tiny,” the research claims, despite this.
Three apps mentioned in the report remain in the Google Play Store. They are:
- Lucky Step – Walking Tracker with 10 million downloads.
- WalkingJoy with 5 million downloads.
- Lucky Habit: health tracker with 5 million downloads.
All three apps connect with the same command & control server. Such servers are usually used by attackers to send directions to systems infected by malware. With all three apps communicating with the same remote server, it is apparent that they have the same developer. It is also pointed out that earlier versions of the Lucky Step-Walking Tracker falsely said that users had the option of converting their rewards into gift cards for various online stores.
Remember, these crooked developers make money when you view their ads. The more ads you watch, the more money they make.
The mechanism that would convert prizes into cash was eventually deleted from the Lucky Step-Walking Tracker app update, and the interface elements that would need to be tapped to complete this conversion vanished. The prizes that had been accumulated before were now useless.
One more malicious app that you need to avoid
A workout program called FitStar that generates a personalized weight-loss plan for 29 rubles was also highlighted in Dr. Web’s report (equivalent to 41 U.S. cents). Nevertheless, individuals who subscribed were unaware that the program they were enrolling in was only valid for one day. Following the trial period, users were automatically renewed for an additional four days of service at 980 rubles ($13.86). The program’s full access cost 7,000 rubles ($98.98), and users’ subscriptions were automatically renewed every four days.
This app is also still listed in the Google Play Store. Comments for this app note that if you install it, the icon doesn’t show up on your phone’s list of installed apps making it hard to uninstall. The same review also notes that “The app is trying from the start to get into either Facebook or Google data…”
In the same report, Dr. Web warned that phishing apps disguised as investment apps and games were found on Google Play, measuring over 450,000 downloads.
The apps connect to a remote server upon launch and receive a configuration instructing them on what to do. Typically, the instructions involve loading phishing pages that request users to enter sensitive details.
The malicious game apps observed by Dr. Web are the following:
- Golden Hunt – 100,000 downloads
- Reflector – 100,000 downloads
- Seven Golden Wolf blackjack – 100,000 downloads (still on Google Play)
- Unlimited Score – 50,000 downloads
- Big Decisions – 50,000 downloads
- Jewel Sea – 10,000 downloads
- Lux Fruits Game – 10,000 downloads
- Lucky Clover – 10,000 downloads
- King Blitz – 5,000 downloads
- Lucky Hammer – 1,000 downloads
If any of the aforementioned phishing apps are already installed on your Android device, you should uninstall them right once. After that, conduct an antivirus scan to find and get rid of any leftovers.
Google has been questioned regarding the security of the apps that are still available on the Play Store.