A new form of Android malware is wreaking havoc on Google Play. The malware, called FalseGuide was found in several Android apps that have been installed by over two million users.

Discovered by Trend Micro, FalseGuide's main focus is on infecting and adding as many devices to a centrally-managed botnet. The purpose of this botnet is to show unrequested ads to victims, via popups or other means.

FalseGuide's purpose is not different from other infamous Android malware families such as DressCode or Viking Horde. The difference is how FalseGuide operators achieve this.

FalseGuide spreading via game guide apps

The group behind FalseGuide is spreading this malware via more than 40 "game guide" apps uploaded to the Play Store by three developers with the names Анатолий Хмеленко (Anatoly Khmelenko), Sergei Vernik, and Nikolai Zalupkin.

"FalseGuide masquerades as guiding apps for games for two major reasons," Trend Micro researchers explains. "First, guiding apps are very popular, monetizing on the success of the original gaming apps. Second, guiding apps require very little development and feature implementation. For malware developers, this is a good way to reach a widespread audience with minimal effort."

A game guide app infected with FalseGuide malware
A "game guide" app infected with FalseGuide malware

According to separate reports from Trend Micro and Zimperium, the infection process is quite complex and specifically designed to avoid detection.

FalseGuide asks for admin rights

Users conscious about the permissions they grant apps can quickly identify that something is wrong because FalseGuide-infected apps ask for "Device Admin," a permission that creates a separate admin account for the app.

Game guide apps are nothing more than an overhyped collection of images and text, so there should be no reason to give an app with the features of a web page its own separate administrator account.

But since most users generally ignore the permissions request screen during an app's installation process, these apps manage to get what they ask for, hence the two million of victims FalseGuide has made so far.

FalseGuide lies in hiding, downloads modules later

On the phones where the app obtains admin rights, the app will connect to a Firebase Cloud Messaging thread and will lie in waiting.

FalseGuide operators can then use this Firebase thread to push modules that all infected phones will download and run without the phone owner's knowledge or consent.

Trend Micro says these modules have the capabilities to root the user's device, launch DDoS attacks, work as relay points to reach private networks, or show ads to infected hosts.

While currently FalseGuide has been used only to show ads, the danger of having malware with such stealthy and broad functionality on your device is obvious, as the malware could always make a U-turn and start collecting sensitive data from the user's device.<

Play Store plagued by several malicious apps

Furthermore, users are often told to install apps from the official Play Store because Google scans and vets all apps. This hasn't been true in recent months, and the Play Store hasn't been a safe place anymore. Malware families such as Chamois, MilkyDoor, or BankBot have consistently found ways to infiltrate Google's defenses, time after time.

The common characteristic found in all four apps seems to be the malware's ability to lay dormant and take malicious actions at a later stage, usually after Google has already scanned the app and deemed it clean.

Google has removed all the apps Trend Micro found. A full list of apps infected with FalseGuide is available here, and you can check and see if you've installed any of them since November 2016, the date when Trend Micro believes a FalseGuide app was first uploaded to the Play Store.