Thanks to Chen Yu, Rowland Yu, Ferenc László Nagy, and Jagadeesh Chandraiah of SophosLabs for their behind-the-scenes work on this article.
When choosing an app, it’s common for users to check the rankings and reviews to ensure they’re making the best choice. Unfortunately, researchers have discovered that some apps aren’t as good as they appear.
That’s because app developers are using a variety of tactics and services to artificially boost download numbers and create fake positive reviews. The practice does no harm to the user’s device, and the apps themselves are not malicious. But those who download them are being tricked into doing so under false pretenses.
Cheat to win
With millions of apps available on Google Play, a big challenge for developers is to increase the visibility of an app so it stands out in a sea of competitors. Searching by keyword is the first step people take to find an app, and so improving the ranking of an app is a good way to draw more visibility. The higher the ranking, the higher up it appears in response to a keyword search.
There are tools and services that monitor and track app performance in search rankings, and tips for how to increase the ranking in legitimate ways. Then there are the trumped-up techniques used to cheat the system.
What caught the attention of our researchers was a group of apps in Google Play with similar functionality, UI, code structure and the same packer. Most of the developers’ emails are with mail.ru. The apps in question are for drawing:
Their certificates have the dodgy owner name of “Unknown”:
More interesting is the number of apps – more than 100. They are spreading out to 36 different developer ids. Examples include:
Many of the apps have more than 10,000 installs, with a total reach of between 2.7m and 11.7m. But did these drawing tutorial apps really gain such popularity by themselves? It doesn’t appear so.
These apps have another common feature. They all contact brutix1[.]info and send the IP address and contents of the phone’s build.prop to it:
So who is brutix1[.]info? They call themselves KeyApp.top.
According to their website, they sell the “service” of boosting app keyword rankings and reviews:
They also offer terms of purchase, warn users of deletion of ratings and reviews, and suggest how to avoid removal. You can see two examples of good and bad rates and reviews:
The researchers tried to contact the keyapp.top chat service to understand their working. This is the chat transcript where they offer 5,000 installs with five-star reviews for $0.12:
Using a service that operates this way violates Google Play policy, which is quite specific about what’s not OK:
Developers must not attempt to manipulate the placement of any apps in Google Play. This includes, but is not limited to, inflating product ratings, reviews, or install counts by illegitimate means, such as fraudulent or incentivized installs, reviews and ratings.
Moreover, the demo on the website clearly shows the connection between these apps with this service.
Google plays Whack-a-Mole
Google has been working to wipe out fake reviews and fraudulent install numbers. But it’s an uphill battle, given how easy it is for developers to work around the systems in place.
SophosLabs has reported its latest findings to Google.