Zscaler has spoiled someone's app-spoofing sting, discovering a fake battery monitor app on Google Play.
Worryingly, the spoof app seems to have gotten past Google's self-lauded Bouncer app vetting system.
The company reckons the malicious version of the BatteryBot battery indicator app was probably trying to put together an army of compromised devices for click fraud, ad fraud and premium SMS scams.
Now removed from Play, the fake BatteryBot Pro was offered for free (the real thing sells for 179.99 Rupees, about US$2.84), and as Zscaler's Shivang Desai writes, its intentions were revealed by the permissions it seeks (basically, everything).
It also tries to gather various device stats like available memory, IMEI, carrier, location, language, phone model, and SIM card availability.
Particular red flags identified by the group were the fake seeking administrative control over a downloader's device. Its background activity included loading fraudulent ad libraries.
“Upon installation of the malicious app, it demanded administrative access, which clearly portrays the motive of malware developer to obtain full control access of the victim's device”, Desai writes.
“Once the permission is granted, the fake app will provide the same functionality to the victim found in the original version of BatteryBot Pro but performs malicious activity in the background.”
Too many permissions: Zscaler's comparison of real-versus-fake requests
The SMS fraud is carried out by having the malicious app contact a command and control server to retrieve premium-rate SMS numbers. That would let the miscreants in charge of the app respond with new target numbers if someone like a carrier cancelled the scam accounts.
Zscaler notes that the app is hard to delete – with admin privileges, it's beyond the ordinary user, and there's an extra nasty. A separate persistence package called com.nb.superuser runs on a different thread and survives deletion of the main app. That lets the persistence app re-install the fake battery monitor if the user roots their phone and kills the malware. ®