sb-au logo
Story image

Don’t pay for what is for free: Malicious Adobe Flash Player app found on Google Play

05 Apr 2017

Based on ESET’s notice, Google has removed another malicious app from its official Android app store. It had received 100,000-500,000 downloads since November 2016.

Unlike typical downloaders, ransomware and similar nasty stuff, this app – named F11 – did not contain any harmful code. Instead, it relied purely on social engineering, tricking users into paying €18 ($19) for Adobe Flash Player.

Yes, Flash Player for Android, which has always been available for free and which was discontinued back in 2012, amid wide criticism of its security vulnerabilities.

Figure 2: Deceptive instructions displayed by the app

“Factually, this is a scam,” explains Lukáš Štefanko, ESET malware researcher who led the investigation.

“Legally, the crooks behind this operation tried to avoid the scam label. However, because of how they implemented their trick, it’s safe to call it a scam.”

How the scam works

Once downloaded (the app’s takedown from Google Play hasn’t disrupted the scam itself), the app displays a tutorial with detailed instructions on how to download Flash Player. On that page, the user is directed to PayPal to pay €18 to buy Flash Player.

Figure 3: The victim gets directed to pay for the Flash Player

“The authors of this scam have gone a long way to make it appear as a legitimate business,” highlights Štefanko. “For example, the app was listed in the educational section of the Play store. However, the shopping basket at PayPal reveals the true nature of the operation: the item in it is called Flash Player 11.”

This is exactly where the operation turns from an aggressive practice of providing users with overpriced and unnecessary advice to a pure scam of selling an item without having any right to do so. Only Adobe, the maker of Flash Player and owner of all rights associated with it, could officially sell it (if they haven’t made it available for free).

After the payment is made, the scam once again pretends to provide “something” in exchange for the victim’s money. Along with a link to a Flash Player installation tutorial – which is a set of several obvious tips – victims are prompted to install Firefox or Dolphin browser. These browsers support Flash Player by default as they contain the plugin for playing Flash content.

“At the end of the whole operation, victims end up being able to play Flash content on their devices,” explains Štefanko. “However, it’s thanks to either browser the user chooses to install. In another words, the user did not install what they had paid for. And – by the way – both Firefox and Dolphin are free.

How to stay safe

ESET Mobile Security detects the malicious F11 app as Android/FakeFlash.F and prevents it from getting installed.

Aside from advice to avoid suspicious apps, in this particular case it must be noted that it’s a bad idea to have Flash Player installed on an Android device. Because of its countless vulnerabilities, Flash has proven to compromise any device’s security.

Those who want to have Flash installed at any cost on their mobile device should follow the recommendations by Adobe security experts requested by WeLiveSecurity:

Adobe strongly advises that users only install and update the Flash Player via one of the following means:

  • By downloading it from the Adobe Flash Player Download Center
  • By updating it only via the update mechanism within a genuine installation of the Adobe Flash Player that was installed via the Adobe Flash Player Download Center
  • By installing/updating genuine versions the Adobe Flash Player installed with Google Chrome for Windows, Macintosh, Linux and Chrome OS, and/or Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1

How to get your money back

Those who have fallen victim to the scam and made the “purchase” via PayPal have a full 180 days to open a dispute in the PayPal’s Resolution Center. We at WeLiveSecurity made the payment, will seek the refund and will raise legal action with the goal of taking down the whole scheme and bring those behind it to justice.

Article by Peter Stancik, security evangelist, welivesecurity.

Story image
ExtraHop reveals methods used by attackers in SUNBURST breach
The network detection and response company says between late March and early October 2020, detections of probable malicious activity increased by approximately 150%, including detections of lateral movement, privilege escalation and command and control beaconing.More
Story image
Palo Alto Networks turns attention to supporting remote workforces
"We’re working with more organisations to pivot their security architecture and move towards a cloud-delivered security model that can safely connect any user, to any application, from anywhere.”More
Story image
Sophos announces collaboration with Qualcomm for PC security
This unification enables a connected, interactive computing environment that combines smartphone and PC technology to deliver security capabilities and opportunities, the company states.More
Story image
Dicker Data scores One Identity distribution agreement for Australia
Dicker Data has entered into a distribution agreement with One Identity, a Quest Software company specialising in identity-centric security. The agreement was effective as of 1 March 2021.More
Story image
Ingram Micro advances dedicated security practice with new hire
Lazarus has strong advice for all resellers. He says, “If you’re not talking security as part of every customer engagement, you're not having the right conversation.”More
Story image
CyberCX and AustCyber launch platform to boost Aus cybersecurity industry
"Australia has some of the best cyber talent in the world, but we need to expand the supply of talent coming through the pipeline if we are to have a vibrant and globally competitive economy."More