Is Google doing a good enough job of policing apps in the official Android app store?
It seems not, judging by the number of bogus apps that continue to be made available for public download from Google Play, exploiting the name and reputation of legitimate games in an attempt to make money for fraudsters.
For instance, take a look (but I suggest you don't install) the apps made available by an Android app developer called "abbaradon":
There are some pretty well known games listed there, including "Plants vs Zombies" and "PES 2012" (Pro Evolution Soccer).
The real Android version of "Plants vs Zombies", developed by Electronic Arts, costs a few dollars, and has had thousands of reviews.
However, Abbaradon's version is free, and has some fine print tucked away at the end of its description in the Google Play store:
Plants vs. Zombies Free! Please leave only positive feedback. If you have any support questions - please send us email. This is a Amazing puzzle specially for game fans.
Creating an app takes time and money, In order to keep creating great (and free!) apps, we are using a new search service to monetize our apps. With this service we are able to create more great apps for you guys. This option bundles a few search points (icon, bookmark and homepage) for you to use. You can erase these easily and with no effect to our app. Thanks!
The app itself isn't Plants vs Zombies at all. It's a simple jigsaw puzzle-type app, that uses an image from the game.
And it's not just Abbaradon. SophosLabs has seen scores of similar bogus apps, trying to make money out of unsuspecting users, in the last couple of weeks. Google tries to stamp out the rogue developers, but they simply return with a new name and start uploading their fake apps again.
So, what happens if you run one of these apps?
In the screenshot below you can see what happened when we ran a fake version of PES 2012.
The program admits that it is ad-supported, may display adverts in apps and your Android device's notification tray.
Furthermore, they say they will collect information about you - including your email address and phone number - if you click on any of the adverts, and pass it onto third parties.
And all you wanted to do was have a free game of football..
But it doesn't stop there, the app is also going to change your browser's home page, add a bookmark, and add icons to your device's home screen. All of this is designed to earn money for the app developer.
Sure enough, a couple of search icons have been added to the Android home screen alongside the icons for the games we've downloaded.
Clicking on the icons leads to search engines, such as Moberium.
Various advertising frameworks are being used by the apps, including Apperhand, Clicxap, Airpush and Startapp - presumably earning money for the developer who is bandying around apps on the Google Play store, pretending that they are free versions of popular games.
Google doesn't take kindly to app developers duping users in this way - and so the developers are using different certificates, different names, and ensure that their packages are heavily obfuscated so they do not look alike.
Although it's easy for a human analyst to determine that the apps are doing similar things, it seems that Google's automated systems are finding it a far harder job to weed out these fake money-making apps from their Android app store.
Sophos detects the bogus apps as Andr/NewyearL-B.
Android malware is a growing problem, with rogue apps even making their way into the official Google Play store. Last year, for instance, we talked about how one Naked Security reader downloaded what he thought was an official Android version of the Legend of Zelda game, only to be bombarded by pop-up notifications and adverts.
If you think it's time to protect your Android smartphone or tablet against the increasing number of threats, check out our free Android anti-virus app.Follow @gcluley
Thanks to SophosLabs researcher Vanja Svajcer for his assistance with this article.