Story image

Don’t pay for what is for free: Malicious Adobe Flash Player app found on Google Play

05 Apr 17

Based on ESET’s notice, Google has removed another malicious app from its official Android app store. It had received 100,000-500,000 downloads since November 2016.

Unlike typical downloaders, ransomware and similar nasty stuff, this app – named F11 – did not contain any harmful code. Instead, it relied purely on social engineering, tricking users into paying €18 ($19) for Adobe Flash Player.

Yes, Flash Player for Android, which has always been available for free and which was discontinued back in 2012, amid wide criticism of its security vulnerabilities.

Figure 2: Deceptive instructions displayed by the app

“Factually, this is a scam,” explains Lukáš Štefanko, ESET malware researcher who led the investigation.

“Legally, the crooks behind this operation tried to avoid the scam label. However, because of how they implemented their trick, it’s safe to call it a scam.”

How the scam works

Once downloaded (the app’s takedown from Google Play hasn’t disrupted the scam itself), the app displays a tutorial with detailed instructions on how to download Flash Player. On that page, the user is directed to PayPal to pay €18 to buy Flash Player.

Figure 3: The victim gets directed to pay for the Flash Player

“The authors of this scam have gone a long way to make it appear as a legitimate business,” highlights Štefanko. “For example, the app was listed in the educational section of the Play store. However, the shopping basket at PayPal reveals the true nature of the operation: the item in it is called Flash Player 11.”

This is exactly where the operation turns from an aggressive practice of providing users with overpriced and unnecessary advice to a pure scam of selling an item without having any right to do so. Only Adobe, the maker of Flash Player and owner of all rights associated with it, could officially sell it (if they haven’t made it available for free).

After the payment is made, the scam once again pretends to provide “something” in exchange for the victim’s money. Along with a link to a Flash Player installation tutorial – which is a set of several obvious tips – victims are prompted to install Firefox or Dolphin browser. These browsers support Flash Player by default as they contain the plugin for playing Flash content.

“At the end of the whole operation, victims end up being able to play Flash content on their devices,” explains Štefanko. “However, it’s thanks to either browser the user chooses to install. In another words, the user did not install what they had paid for. And – by the way – both Firefox and Dolphin are free.

How to stay safe

ESET Mobile Security detects the malicious F11 app as Android/FakeFlash.F and prevents it from getting installed.

Aside from advice to avoid suspicious apps, in this particular case it must be noted that it’s a bad idea to have Flash Player installed on an Android device. Because of its countless vulnerabilities, Flash has proven to compromise any device’s security.

Those who want to have Flash installed at any cost on their mobile device should follow the recommendations by Adobe security experts requested by WeLiveSecurity:

Adobe strongly advises that users only install and update the Flash Player via one of the following means:

  • By downloading it from the Adobe Flash Player Download Center
  • By updating it only via the update mechanism within a genuine installation of the Adobe Flash Player that was installed via the Adobe Flash Player Download Center
  • By installing/updating genuine versions the Adobe Flash Player installed with Google Chrome for Windows, Macintosh, Linux and Chrome OS, and/or Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1

How to get your money back

Those who have fallen victim to the scam and made the “purchase” via PayPal have a full 180 days to open a dispute in the PayPal’s Resolution Center. We at WeLiveSecurity made the payment, will seek the refund and will raise legal action with the goal of taking down the whole scheme and bring those behind it to justice.

Article by Peter Stancik, security evangelist, welivesecurity.

Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why Australian enterprises are prime targets for malware attacks
"Only 14% of Australian organisations are continuously training employees to spot cyber attacks."
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Bitdefender announces security integration with Kaseya
The new partnership will allow VSA by Kaseya’s cloud and on-premises users to deploy and manage security with Bitdefender Cloud Security for MSPs.
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.