Why you should avoid Star Hop and Candy Link in Google Play

Thanks to Rowland Yu of SophosLabs for the behind-the-scenes work on this article.

When you see them in Google Play, Star Hop and Candy Link look like a couple of harmless games. But they hide malware that can switch on the wifi on your Android device’s and pummel you with spam.

SophosLabs researchers uncovered the apps – which have been downloaded some 50,000 times so far – during routine testing.

Star Hop is a game where the goal is to tap on two or more adjacent stars to destroy them:

Candy Link is billed as a game that helps users improve their concentration and cognitive abilities:

Researcher Rowland Yu said the apps hide malware SophosLabs has detected as Andr/Axent-EH. It appears the apps have been available on Google Play since March 2017.

The malware family is able to:

  • Drop a malicious payload
  • Enable wifi if it is off
  • Connect to malicious remote websites
  • Load spam messages on the home screen

How it works

The malware decrypts a .jar file in the “assets” folder, then drops a payload called decbiee.jar, as this screenshot shows:

The payload has the capability of checking wifi status and turning it on if it’s off:

The payload connects lce9v.com, then redirects to malicious website wi7cb.com, which has been blocked by Sophos:

Once the device is infected, the user receives spam messages like these every time they activate their home screen:

Defensive measures

As we mentioned above, SophosLabs has identified this as Andr/Axent-EH and protected Sophos users against it.

Our advice to non-Sophos customers is not to download these apps if you see it in Google Play. We’ve told Google Play about our discovery.

The continued onslaught of malicious Android apps demonstrates the need to use an Android anti-virus such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.