Zimperium Blog

Threat Research: FalseGuide

This Threat Research is about the recently (re)discovered “FalseGuide” threat found in Google Play.

FalseGuide is a form of malware that has been hidden in more than 40 game guide apps in Google Play since February 2017. According to reports, approximately 600,000 devices may have been infected before the known versions of the malware were removed from Google Play. Newly infected apps were found in April and subsequently removed again, setting a pattern for additional infections to be released and found in the future. FalseGuide creates a silent botnet out of the infected devices for adware purposes, and also could enable the attacker to root the device or conduct DDoS attacks.

Additional details of the threat, and how Zimperium zIPS protects devices against it, are included below.

Threat/Attack Description:

  • FalseGuide requests device admin permission on installation, thereby avoiding detection and deletion by the device owner.
  • The malware then registers itself to a Firebase Cloud Messaging topic which has the same name as the app.
  • Once subscribed to the topic, FalseGuide can receive messages containing links to additional modules and download them to the infected device.
  • FalseGuid then displays illegitimate pop-up ads using a background service that starts running once the device is booted.

zIPS Detection:

zIPS will detect and alert on all of these malicious apps with an option to delete/uninstall the apps immediately.

When an app is downloaded or installed, the zIPS on-device engine analyzes the code to determine if it contains anything malicious. As a secondary layer of defense, zIPS can also query our advanced cloud-based threat intelligence capabilities (e.g., the Zimperium Global Malware Database) for additional analysis.

Threat level: Low