Based on ESET’s notice, Google has removed another malicious app from its official Android app store. It had received 100,000-500,000 downloads since November 2016.
Unlike typical downloaders, ransomware and similar nasty stuff, this app – named F11 – did not contain any harmful code. Instead, it relied purely on social engineering, tricking users into paying €18 ($19) for Adobe Flash Player.
Yes, Flash Player for Android, which has always been available for free and which was discontinued back in 2012, amid wide criticism of its security vulnerabilities.
Figure 2: Deceptive instructions displayed by the app
“Factually, this is a scam,” explains Lukáš Štefanko, ESET malware researcher who led the investigation.
“Legally, the crooks behind this operation tried to avoid the scam label. However, because of how they implemented their trick, it’s safe to call it a scam.”
How the scam works
Once downloaded (the app’s takedown from Google Play hasn’t disrupted the scam itself), the app displays a tutorial with detailed instructions on how to download Flash Player. On that page, the user is directed to PayPal to pay €18 to buy Flash Player.
Figure 3: The victim gets directed to pay for the Flash Player
“The authors of this scam have gone a long way to make it appear as a legitimate business,” highlights Štefanko. “For example, the app was listed in the educational section of the Play store. However, the shopping basket at PayPal reveals the true nature of the operation: the item in it is called Flash Player 11.”
This is exactly where the operation turns from an aggressive practice of providing users with overpriced and unnecessary advice to a pure scam of selling an item without having any right to do so. Only Adobe, the maker of Flash Player and owner of all rights associated with it, could officially sell it (if they haven’t made it available for free).
After the payment is made, the scam once again pretends to provide “something” in exchange for the victim’s money. Along with a link to a Flash Player installation tutorial – which is a set of several obvious tips – victims are prompted to install Firefox or Dolphin browser. These browsers support Flash Player by default as they contain the plugin for playing Flash content.
“At the end of the whole operation, victims end up being able to play Flash content on their devices,” explains Štefanko. “However, it’s thanks to either browser the user chooses to install. In another words, the user did not install what they had paid for. And – by the way – both Firefox and Dolphin are free.
How to stay safe
ESET Mobile Security detects the malicious F11 app as Android/FakeFlash.F and prevents it from getting installed.
Aside from advice to avoid suspicious apps, in this particular case it must be noted that it’s a bad idea to have Flash Player installed on an Android device. Because of its countless vulnerabilities, Flash has proven to compromise any device’s security.
Those who want to have Flash installed at any cost on their mobile device should follow the recommendations by Adobe security experts requested by WeLiveSecurity:
Adobe strongly advises that users only install and update the Flash Player via one of the following means:
- By downloading it from the Adobe Flash Player Download Center
- By updating it only via the update mechanism within a genuine installation of the Adobe Flash Player that was installed via the Adobe Flash Player Download Center
- By installing/updating genuine versions the Adobe Flash Player installed with Google Chrome for Windows, Macintosh, Linux and Chrome OS, and/or Adobe Flash Player installed with Microsoft Edge and Internet Explorer 11 for Windows 10 and 8.1
How to get your money back
Those who have fallen victim to the scam and made the “purchase” via PayPal have a full 180 days to open a dispute in the PayPal’s Resolution Center. We at WeLiveSecurity made the payment, will seek the refund and will raise legal action with the goal of taking down the whole scheme and bring those behind it to justice.
Article by Peter Stancik, security evangelist, welivesecurity.