Worth looking again: fake Flash Player apps in Google Play store

01/24/2014
G DATA Blog

At the weekend, a number of fraudulent apps pretending to be Adobe Flash Player appeared on the official Google Play store. Of the three apps we looked at, all demanded payment from the user before installation and one even spied on the user in the background. Google reacted fast and deleted the programs, which are detected as Android.Application.FakeApp.A by G Data’s mobile security solutions.

One important thing first: there is no actual Flash Player app any more
The original Adobe Flash Player app is no longer available to download in the Google Play store. Adobe, which appears as Adobe Systems in the Play store, does not offer the app there – the Flash Player functionality has now been integrated into the Adobe AIR app for Android, so users no longer need a dedicated Flash Player app. This can be seen from the roadmap for Flash, which can be viewed online:
"Flash Player 11.1 is the last release of the Flash Player plug-in for mobile browsers. […]Adobe continues to actively invest in enabling developers to create and deploy Flash based content as mobile (and desktop) applications via Adobe AIR."
Devices with the Android 4.1 operating system or later can no longer use a certified version of the Flash player. Instead, users should install the original version of Adobe AIR for Android, which contains the Flash functionality. Devices with operating systems prior to Android 4.1 should be certified to prevent compatibility issues; Flash Player 11.1 can then be downloaded from the Adobe archives.
 

Fraudsters exploit lack of awareness

Adobe Flash is a very well known player, especially on desktop systems. Hence it seems obvious to the majority of users that they will also need this player for their mobile device. Yet most people are generally unaware of the fact that the functionality has been incorporated into Adobe AIR, as stated above. The fraudsters are exploiting this situation and designing fake apps.

If users merely look at the app logos, they run the risk of installing fake software, as in this case. But looking at who the developer is can sometimes quickly expose a scam: "Adobe Flash Player" with the inclusion of asterisks should catch the user's attention. Using a developer name such as "Adobe LLC" offers a better disguise.
Alert users can even find a direct reference to the scam in the description text of the three apps: "[TRADEMARK] We aren't affiliated with Adobe Corporation" say all the texts in unison, indicating that the same fraudsters are behind all three.

What do these apps do?

The apps from developer "Adobe Flash Player" contain no malware functions in the traditional sense. They just open a website containing information aimed at trying to persuade the user to transfer five euros via PayPal to get the actual Adobe app. Whether the original app (Flash Player 11.1.115.81 from the archive, which should not be installed on newer devices under any circumstances – see above) is actually offered following the payment process is unclear. In any case, we urgently encourage you not to pay the fee.

The app from developer "Adobe LLC", on the other hand, is bolder: again it simply attempts to lure the user into paying the five euros – which is another indicator that the apps originate from the same fraudsters – except that this one starts spying on the user after installation. The program code makes it clear which data the app intercepts and forwards:

The list includes things such as the system language, the OS version and screen resolution – data that is not subsequently compromising. The mobile service provider (carrier) is not necessarily included. In addition to this information, the app also reads the device's IMEI. This is the device's "fingerprint" and hence is extremely valuable and worthy of protection. If the fraudsters get hold of an IMEI, there might be various options for exploiting this, such as:

  • Using the IMEI to clone the device.
  • Using the IMEI to track the device.


The app steals the data in the background, unnoticed by the user. However, something else is going on in the foreground: the fake application displays another "app wall" showing more applications that might be of interest to the user. Here again the language etc may potentially be read, so the apps displayed are tailored to the user.
 

Conclusion

The level of security in the Google Play store is very high. Even so, due to the volume of (new) apps, undesirable software can still sneak in despite protective measures such as Google Bouncer – as previously covered by G Data’s Malware Report H2 2012. Again, users must exercise caution when using the Google Play store and ideally use a security solution to protect their mobile devices.
 

Tips

  • Use a comprehensive security solution for your Android mobile device, such as G Data Internet Security for Android.
  • Where possible only download apps from the official Google Play market or from trustworthy sources.
    • Pay special attention to the app evaluations and comments as well as the rights requested by the app. Check and assess these prior to installation.
    • If you want to download copies of globally renowned software, check whether the developer quoted in the store is actually the provider of the software. For example, visit the provider's site and access the app store from there.