Updated on October 1, 2019 at 7:00 PM PST to amend an app description on App Store.
Google Play and iOS App store are no strangers to fake apps trying to trick users into downloading ad- or malware-ridden versions. We have previously reported on fake Android voice apps on Google Play, which were observed to be impostor apps for voice messenger platforms. Recently, we also uncovered counterfeit applications hiding among legitimate offerings on app stores. These fake apps masquerade as similar apps to trick unwitting users into downloading gambling apps.
We found hundreds of the fake apps on iOS App Store and Google Play, with descriptions that are inconsistent with their content. While the apps’ descriptions varied, they share the same suspicious behavior: They could transform into gambling apps that may get banned for violating local government regulations and app store policies.
Some of the apps ranked in the Top 100 of the App Store and were possibly downloaded numerous times. Some were even rated more than 100,000 times. We’ve notified Apple and Google about our findings. Both have since removed the apps from App Store and Google Play.
Figure 1. Screenshot of the applications, where a seemingly normal app (left) also has an entirely different look (right)
Note: iOS apps (top), Android apps (below)
How the apps are distributed: From webpage to app store
The apps can be downloaded either through a gambling site or the aforementioned app stores. For instance, when visiting the website, the page below will be shown.
Figure 2. Original webpage (left) and its English translation (right)
Notably, the download button on the site will redirect the user to the App Store. This means that these gambling apps passed the iOS App Store’s review. In other cases that we observed, some apps had pop-ups of a webpage that lure the user into installing an enterprise app that is not managed by the App Store.
Figure 3. Fake App Store page (left) and instructions on how to install enterprise app on iPhone (right)
For Android users, the download button will redirect them to a page that hosts an Android application package (APK) file, with the package name “com.bxvip.app.jiuzhouzy”. This APK has the same user interface (UI) of the gambling apps loaded via WebView.
Figure 4. The UI of the com.bxvip.app.jiuzhouzy APK
Figure 5. According to its description on the iOS App Store, the app provides global holiday info (left), but the real UI is about a lottery (right)
The app’s description on the App Store, as seen above, talks about global holiday info. However, upon opening the app, we found a different content — looking similar to the webpage we previously mentioned. But this time, it exists in a mobile app. The app, as downloaded, was entirely different from its description on the App Store.
Figure 6. Screenshots of the app on Google Play and the translated description (top), and the actual UI when launched (below)
These fake apps are deployed similarly on Google Play. Figure 6 shows the screenshots of its Google Play listing, and the actual UI when users launch the app.
How the fake apps bypassed the app stores’ review
Gambling or real money gaming apps are not prohibited on the App Store and Google Play; however, they are heavily restricted. A June update, for instance, states that HTML5 games distributed within apps may not provide access to real money gaming, lotteries, and others. Google Play, in addition, only permits gambling apps in certain countries and as long as they meet their requirements. The fake apps we found do not meet the guidelines.
These fake apps start as a seemingly normal app, with varying features and functionalities (e.g., for weather tracking or entertainment purposes), but we found that the fake apps can be controlled to appear innocuous. We describe the whole process in the flowchart below.
Figure 7. How the gambling apps get to the app stores
The fake apps have some interesting behaviors. For one thing, the apps have a “switch” feature, whereby a threat actor can set the app to either show or hide the actual app content. In this case, the API is switched off during the app’s review process.
Figure 8. Loaded URL Code on iOS (top) and Android (below)
We performed a simple replay of the traffic. Note that in the following figure, the word kaiguan means to switch on/off in Mandarin Chinese, and 1700 seems to be an unusual number for these apps.
Figure 9. Response
The app will query the specified address with its app ID. The corresponding response will be Base64 encoded. If the app ID is invalid, the response will return as empty.
Figure 10. Decoded response
If the data is not empty and can be decoded successfully, the URL will be used to load in WebView.
Figure 11. Loaded WebView on iOS (top) and Android (below)
On iOS, if the response is empty, the WebView will be hidden so that the “normal” app could continue.
Figure 12. Failed request on iOS (top) and Android (below)
As for Android, if empty, it will just jump to a local activity, and the app will continue its “normal” (store-approved) app function.
As a result, this can be used to trick the reviewer. For example, before the app gets reviewed, the developer can simply press the “off” switch so a normal-looking app starts (see Figure 1 for the normal and fake app comparisons). The app could pass the app store reviews because the gambling aspect has been hidden.
After the apps have passed the review, they can be publicly downloaded from the app stores. The threat actors then switch it “on” to enable viewing of the app’s actual content.
Figure 13. Implanted page on these apps
Fake apps outrank apps they imitate
At the time of our research, these apps only seem to use WebView to load a gambling website, and do nothing malicious on the device. However, fake as these apps may be, they still outranked the apps they impersonated.
According to Google Play, the apps were only published on August 2019, which explains their low download numbers. This is not the case on the iOS App Store.
A keyword search on the App Store revealed two apps that share the same category. The fake app ranks higher than the app it’s similar to (i.e., the gambling app ranks higher than the wine app).
Figure 14. The fake app ranks higher than the legitimate app
The legitimate apps have been kept updated for two years, while the fake app only had two minor updates for the past six months. We believe that the pop-up WebView was implanted in the second update, on top of using the name and functionality of the legitimate app, to trick users and spread the gambling apps. The actors may also have included SEO techniques to make the app more relevant to search engines.
On the Chinese iOS App Store, for instance, it appears that many of these fake apps have cropped up and are in the Top 100 list. These apps have been highly downloaded, with one of them even getting 440,000 ratings.
Figure 15. Top-ranking gambling apps disguised as “normal” apps
We also searched for typical keywords that may relate to the apps on the iOS App Store, and we found the following matching results (limited within certain regions).
|Keyword||CN Market||JP Market||US Market|
|重庆时时彩 (Chongqing Lottery Every Hour)||214||40||61|
|分分彩 (Lottery Every Minute)||55||26||52|
|北京赛车 (Beijing Racing)||314||9||104|
Table 1. App keyword results by country
Figure 16. Google search results for Japan
Correlating the fake apps’ command-and-control (C&C) communications
We also found the C&C server, app[.]kaiguan1700[.]com, that was used to control three of the apps included above (it should be noted that its IP address is only hosting this URL). It will respond with another URL to be loaded in WebView, according to the app ID. After we tried accessing it, the server shut down. Interestingly, at the same time, these apps began to behave like normal apps because we “shut down” the “switch” by accident. This suggests that these fake apps share the same C&C server, which could be a good indicator for identifying fake apps.
Figure 17. C&C structure: How different domains and apps were related
Since hundreds of fake apps are uploaded to the app stores and they use different developer accounts, their categories vary. Assessing the central C&C server can be a good way to lump the apps together and prevent them from reaching the users.
Best practices and Trend Micro solutions
The threat actors here passed the app review process by posing as a run-of-the-mill app, hiding its actual nature (in this case, for gambling). The gambling apps may also be deemed illegal in some countries and rejected by the iOS App Store and Google Play. We contacted Apple and Google about this research. The apps have already been pulled offline.
Furthermore, these methods pose concerns to legitimate app developers and the mobile ecosystem since these highly rated fake apps are occupying the top list. Users, for their part, should adopt best practices for securing mobile devices. We also recommend reading app reviews before installing them, to flag suspicious features or behaviors at the onset.
Users can also install security solutions, such as the Trend Micro™ Mobile Security for iOS and Trend Micro™ Mobile Security for Android™ (also available on Google Play) solutions, that can block malicious apps. End users can also benefit from their multilayered security capabilities that secure the device owner’s data and privacy, and features that protect them from ransomware, fraudulent websites, and identity theft.
For organizations, the Trend Micro™ Mobile Security for Enterprise suite provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Indicators of Compromise (IoCs)
Some of the identified fake apps on iOS App Store (detected as IOS_Chameleon.A)
|App Name/Label||Bundle Name||Version|
|Simon Color Match||com.jda.Color-Match||1.3|
|Employee attendance tracker||com.emp.att||1.1|
Some of the identified fake apps on Google Play (detected as AndroidOS_Gambling.HRX)