Story image

Don’t pay for what is for free: Malicious Adobe Flash Player app found on Google Play

05 Apr 2017

Based on ESET’s notice, Google has removed another malicious app from its official Android app store. It had received 100,000-500,000 downloads since November 2016.

Unlike typical downloaders, ransomware and similar nasty stuff, this app – named F11 – did not contain any harmful code. Instead, it relied purely on social engineering, tricking users into paying €18 ($19) for Adobe Flash Player.

Yes, Flash Player for Android, which has always been available for free and which was discontinued back in 2012, amid wide criticism of its security vulnerabilities.

Figure 2: Deceptive instructions displayed by the app

“Factually, this is a scam,” explains Lukáš Štefanko, ESET malware researcher who led the investigation.

“Legally, the crooks behind this operation tried to avoid the scam label. However, because of how they implemented their trick, it’s safe to call it a scam.”

How the scam works

Once downloaded (the app’s takedown from Google Play hasn’t disrupted the scam itself), the app displays a tutorial with detailed instructions on how to download Flash Player. On that page, the user is directed to PayPal to pay €18 to buy Flash Player.

Figure 3: The victim gets directed to pay for the Flash Player

“The authors of this scam have gone a long way to make it appear as a legitimate business,” highlights Štefanko. “For example, the app was listed in the educational section of the Play store. However, the shopping basket at PayPal reveals the true nature of the operation: the item in it is called Flash Player 11.”

This is exactly where the operation turns from an aggressive practice of providing users with overpriced and unnecessary advice to a pure scam of selling an item without having any right to do so. Only Adobe, the maker of Flash Player and owner of all rights associated with it, could officially sell it (if they haven’t made it available for free).

After the payment is made, the scam once again pretends to provide “something” in exchange for the victim’s money. Along with a link to a Flash Player installation tutorial – which is a set of several obvious tips – victims are prompted to install Firefox or Dolphin browser. These browsers support Flash Player by default as they contain the plugin for playing Flash content.

“At the end of the whole operation, victims end up being able to play Flash content on their devices,” explains Štefanko. “However, it’s thanks to either browser the user chooses to install. In another words, the user did not install what they had paid for. And – by the way – both Firefox and Dolphin are free.

How to stay safe

ESET Mobile Security detects the malicious F11 app as Android/FakeFlash.F and prevents it from getting installed.

Aside from advice to avoid suspicious apps, in this particular case it must be noted that it’s a bad idea to have Flash Player installed on an Android device. Because of its countless vulnerabilities, Flash has proven to compromise any device’s security.

Those who want to have Flash installed at any cost on their mobile device should follow the recommendations by Adobe security experts requested by WeLiveSecurity:

Adobe strongly advises that users only install and update the Flash Player via one of the following means:

  • By downloading it from the Adobe Flash Player Download Center
  • By updating it only via the update mechanism within a genuine installation of the Adobe Flash Player that was installed via the Adobe Flash Player Download Center
  • By installing/updating genuine versions the Adobe Flash Player installed with Google Chrome for Windows, Macintosh, Linux and Chrome OS, and/or Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1

How to get your money back

Those who have fallen victim to the scam and made the “purchase” via PayPal have a full 180 days to open a dispute in the PayPal’s Resolution Center. We at WeLiveSecurity made the payment, will seek the refund and will raise legal action with the goal of taking down the whole scheme and bring those behind it to justice.

Article by Peter Stancik, security evangelist, welivesecurity.

Aerohive launches guide to cloud-managed network access control
NAC for Dummies teaches the key aspects of network access control within enterprise IT networks and how you can secure all devices on the network.
Sungard AS named DRaaS leader by Forrester
It was noted for its disaster-recovery-as-a-service solution’s ability to “serve client needs at all stages of their need for business continuity.”
Gartner: The five priorities of privacy executives
The priorities highlight the need for strategic approaches to engage with shifting regulatory, technology, customer and third-party risk trends.
emt Distribution adds risk intelligence vendor
Flashpoint has signed emt Distribution to provide channel partners in Oceania and South East Asia a solution for illicit threat actor communities.
CrowdStrike: Improving network security with cloud computing solutions
Australian spending on public cloud services is expected to reach $6.5 billion this year according to Gartner
Thycotic debunks top Privileged Access Management myths
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets.
Veeam reports double-digit Q1 growth
We are now focussed on an aggressive strategy to help businesses transition to cloud with Backup and Cloud Data Management solutions.
Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.