Category Archives: Google Play

Jigsaw releases Intra, an Android app that encrypts DNS queries to thwart online censorship

Alphabet subsidiary and tech incubator Jigsaw, which concentrates on creating solutions for “the toughest geopolitical challenges,” has released Intra, an Android apps that encrypts DNS queries. About Intra Intra encrypts DNS queries so that they can’t be analyzed or manipulated by oppressive governments. Users can get to the wanted (blocked) website or use the wanted (blocked) app and can be sure that the site they were directed to is the site they wanted to visit, … More

The post Jigsaw releases Intra, an Android app that encrypts DNS queries to thwart online censorship appeared first on Help Net Security.

Cryptocurrency mining malware increases 86%

McAfee released its McAfee Labs Threats Report September 2018, examining the growth and trends of new cyber threats in Q2 2018. In the second quarter, they saw the surge in cryptomining malware growth that began in Q4 2017 continue through the first half of 2018. McAfee also saw the continued adaptation of the type of malware vulnerability exploits used in the WannaCry and NotPetya outbreaks of 2017. Although less common than ransomware, cryptomining malware has … More

The post Cryptocurrency mining malware increases 86% appeared first on Help Net Security.

Stealthy cryptomining apps still on Google Play

Researchers have flagged 25 apps on Google Play that are surreptitiously mining cryptocurrency for their developers, and some of these have still not been removed, they warn. About the malicious apps Disguised as games, utilities and educational offerings, these malicious apps have been downloaded and installed more than 120,000 times. “Most of the apps were found to have embedded code from Coinhive, a JavaScript implementation to mine Monero,” the researchers explained. “The miner code, which … More

The post Stealthy cryptomining apps still on Google Play appeared first on Help Net Security.

Bogus finance apps on Google Play target users worldwide

ESET researchers have discovered malicious apps impersonating various financial services and the Austrian cryptocurrency exchange Bitpanda on Google Play. The fake apps Uploaded to Google’s official app store in June 2018 and collectively downloaded and installed over a thousand times, upon launch the apps would immediately request the user to enter credit card details and/or login credentials to the targeted bank or service. The entered information would then be sent to the attacker’s server, and … More

The post Bogus finance apps on Google Play target users worldwide appeared first on Help Net Security.

Two New Monero Malware Attacks Target Windows and Android Users

Researchers spotted two new Monero malware attacks targeting Windows and Android devices that hide in plain sight and masquerade as legitimate application updates.

Quick Heal Security Labs discovered the new “invisible” Monero mining infection trying to hide on Windows PCs. Once installed, this self-extracting executable unpacks a VBS script, extraction utility, password-protected archive and batch file in the C:/ProgramFiles/Windriverhost directory. It then launches ouyk.vbs to maintain persistence and xvvq.bat to keep the computer on by modifying the PowerCFG command.

Finally, it runs the driverhost.exe mining program, which mines for Monero, while xvvq.bat regularly checks for analysis and antivirus tools using the tasklist command. The infection vector is currently unknown, but Quick Heal speculated that spear phishing and malvertising are likely culprits.

Meanwhile, as noted by Fortinet, the Android/HiddenMiner.A!tr malware attempts to compromise Android devices by posing as an update to the Google Play Store. If installed on an emulator or virtual machine, it shuts down to avoid analysis. If installed on a mobile device, it activates and asks for administrative privileges. If not granted, the malware will continue asking for permission until users allow installation.

Monero Malware Hides in Plain Sight

Along with efforts to avoid analysis, Quick Heal noted that the Monero malware also limits central processing unit (CPU) usage to 35 percent for all mining activity. Given the persistence of the malware and the low CPU cap, users may not encounter the system performance issues and application lag commonly associated with mining attacks, improving the malware’s ability to go undetected for long periods of time.

On the other hand, the HiddenMiner malware is problematic for Android users because it appears in the Google Play Store as an update to the Store itself. As a result, users aren’t surprised by requests for admin rights since the “update” seemingly comes from Google.

How to Mitigate the Threat of Monero Malware

Shutting down these Monero malware tools requires keeping devices up to date and regularly checking desktops for indicators of compromise (IoCs). As noted by IBM X-Force Exchange, the HiddenMiner malware won’t work on Android 7.0 or later thanks to a change in Android PacKage (APK) format that introduced a new signing mechanism. Malware attempting to execute on devices running 7.0 or later will instead return an error message.

IBM security professionals also recommend targeting common IoCs to detect mining malware. As noted by Quick Heal, a flaw in the xvvq.bat file means it only kills driverhost.exe if taskmgr.exe is running — making it easier for security teams to track down the driverhost.exe IoC and take action to remove the malware.

Sources: Quick Heal Security Labs, Fortinet

The post Two New Monero Malware Attacks Target Windows and Android Users appeared first on Security Intelligence.

Android Malware Intercepts SMS 2FA: We have the Logs!

A couple years ago I was doing some phishing investigations training at the Police School in Santiago, Chile.  One module in my training was called "Logs Don't Lie" which pointed out that in most cases we have everything we need to prioritize a phishing response just by looking at the log files, either on the compromised phishing server, or in the Financial Institutions own logs.

Malware C2 servers are another great place to apply the rule "Logs Don't Lie."  Most security researchers realize that there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations.  @LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware.  And the Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do!    (Sidenote:  @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while @LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware.  You should follow both on Twitter if you care about such things.  Thanks to them both for the pointer that leads to what follows.)

In this case, the malware is believed to be called "Anubis II" and likely uses the "Builder" that is depicted in this YouTube video, titled "Builder Android Bot Anubis 2"

Launcher the APK Builder "Android Botnet Anubis II" 

Malware actor chooses from his list of banking targets
In the comments section of the video, someone has shared a screen shot of the botmaster's control panel.  In this case it is demonstrating that 619 Android phones can be controlled from the botnet:

Phones that can be controlled from Anubis II control panel
In the particular instance referred to by Lukas and NullCookies, the malware seems to have been active primarily in June of 2018.   The server hosting the Anubis II panel has a list of banks that it can present.

The targets which have custom web inject (or phone inject) content include:
  • 7 Austrian banks
  • 18 Australian banks
  • 5 Canadian banks
  • 6 Czech banks
  • 11 German banks
  • 11 Spanish banks
  • 11 French banks
  • 8 Hong Kong banks
  • 11 Indian banks
  • 6 Japanese banks
  • 1 Kenyan bank
  • 4 New Zealand banks
  • 32 Polish banks
  • 4 Romanian banks
  • 9 Turkish banks
  • 10 UK banks (Bank of Scotland, Barclays, CSGCSDNMB, Halifax, HSBC, Natwest, Royal Bank of Scotland, Santander, TSB, Ulster)
  • 10 US banks (Bank of America, Capital One, Chase, Fifth Third, NetTeller, Skrill, SunTrust, USAA, US Bank, Wells Fargo Mobile)

Fake Android Login Pages for Banks 

While each of the 190 sites has a fake login page available, we thought we would show a sampling from banks around the world . . . 

There are also several Crypto Currency organizations listed:
  • blockchaine
  • coinbase
  • localbitcoin
  • unocoin
As well as some Online Payment, Email, and Social Media sites:
  • eBay
  • Facebook
  • Gmail
  • PayPal
  • ZebPay

Each bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone attempts to log in to the given bank.

 Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content, inviting the phone owner to "Sing In" to the bank.  Perhaps there is a Wells Fargo Choir?  Hopefully that will cause victims to NOT fall for this particular malware!

The Wells Fargo Choir?  Sing On!

The SMS Intercepts

One of the main benefits of having access to the server was to see so many examples of successful SMS message intercepts!  At the time of the server dump, this one contained 32,900+ unique "keylog" entries and 52,000+ logged SMS messages from at least 47 unique devices.

Here's an example showing a Bank Two Factor Authentication request being forward to the criminals:

Text: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn't request the code, call for assistance.

Keylogging was also enabled, allowing the criminal to see when a bank app was being used:

06/14/2018, 09:07:34 EDT|(FOCUSED)|[From:, REDACTED BANK, Account Number:, ******6680, Date:, May 30, 2018 10:10:42 AM EDT, Status:, Canceled, Amount:, $100.00, Type:, Deposit, Transfer ID:, 25098675]

In this example, an online payment company is sharing a message:

06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a friendly reminder that you have a payment due today by 6pm If you have any questions or need to make a payment  via phone call 804-999-9999 or we have a new payment processing system that allows , for your convenience, to simply text in the last 4 digits of a card you've previously used and the security code and we're able to process your payment.  Feel free to call  REDACTED with any questions at 804-xxx-xxxx]

Hundreds of Gmail verification codes were found in the logs:

06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]

Quite a few Uber codes were also found in the logs:

Text: [#] 9299 is your Uber code. qlRnn4A1sbt

Paypal, Quickbooks, LinkedIn, Facebook, Stash, and Stripe all had 2FA codes make appearances in the logs:

Text: FREE PayPal: Your security code is: 321842. Your code expires in 10 minutes. Please don't reply.

Text: [Your QuickBooks Self-Employed Code is 952708, 1 min ago]

Text: 383626 is your Facebook password reset code or reset your password here:

Text: Your LinkedIn verification code is 967308.

Text: 103-667 is your Stripe verification code to use your payment info with Theresa.

Text: Your Stash verification code is 912037. Happy Stashing!

Text: Cash App: 157-578 is the sign in code you requested.

Text: Your verification code for GotHookup is: 7074

In a directory called "/numers/" there were also examples of address book dumps from phone contacts.  The small number of these seem to indicate this would be a "triggered" request, where the botnet operator would have to request the address book.  In the example we found, with seven area code (404) numbers, four (770) numbers and four (678) numbers, it is likely an Atlanta, Georgia based victim.

The Keylogging feature also seems to be something that is turned on or off by request of the botnet operators.  There were far fewer devices for which keylogs were found.   Example keylog entries looked like this:

A telephone prompt looked like this:

  • 06/15/2018, 14:38:55 EDT|(CLICKED)|[Call management, •, 10m, 4 missed calls, Ashley Brown (3), Mom]
  • 06/15/2018, 14:38:59 EDT|(CLICKED)|[Call Ashley Big Cousin, Quick contact for Ashley Brown]
  • 06/15/2018, 14:39:01 EDT|(CLICKED)|[1 804-999-9999, Mobile, Call Ashley Brown]

Responding to a message looked like this:

  • 06/15/2018, 16:02:34 EDT|(CLICKED)|[Messaging, •, now, Expand button, (804) 999-9999 , Hey Terry can you send the address, REPLY]
  • 06/15/2018, 16:02:37 EDT|(FOCUSED)|[Aa]
  • 06/15/2018, 16:02:46 EDT|(CLICKED)|[Copy, Forward, Delete]
  • 06/15/2018, 16:02:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:02:54 EDT|(CLICKED)|[Messaging]
  • 06/15/2018, 16:02:57 EDT|(CLICKED)|[Enter message]
  • 06/15/2018, 16:05:11 EDT|(CLICKED)|[Answer]
  • 06/15/2018, 16:05:29 EDT|(CLICKED)|[]
  • 06/15/2018, 16:10:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:10:52 EDT|(CLICKED)|[Enter]
  • 06/15/2018, 16:11:01 EDT|(FOCUSED)|[2007 Their Address Ct  North CityTheyTyped OK 11111]
  • 06/15/2018, 16:11:03 EDT|(FOCUSED)|[]
A YouTube session looked like this:

  • 06/27/2018, 15:23:36 EDT|(CLICKED)|[YouTube]
  • 06/27/2018, 15:23:46 EDT|(CLICKED)|[Pause video]
  • 06/27/2018, 15:41:19 EDT|(FOCUSED)|[14:46, Go to channel, FINDING OUT THE GENDER!!!, Menu, The Rush Fam · 26K views4 hours ago, 6:12, Go to channel, TRY NOT TO CRY CHALLENGE REACTION WITH KID (SHE ACTUALLY CRIED), Menu, CJ SO COOL · 2.5M views · 1 year ago, SUBSCRIBED]
  • 06/27/2018, 15:46:38 EDT|(FOCUSED)|[]
  • 06/27/2018, 15:46:41 EDT|(CLICKED)|[Enter]
  • 06/27/2018, 15:46:53 EDT|(CLICKED)|[Play video]
  • 06/27/2018, 15:48:06 EDT|(CLICKED)|[ · 0:11]
  • 06/27/2018, 15:48:09 EDT|(CLICKED)|[ · 0:09]
  • 06/27/2018, 15:48:10 EDT|(CLICKED)|[ · 0:08]
  • 06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: "BREAKING UP IN FRONT OF COMPANY!!" PRANK ON PANTON SQUAD!!!]


From looking for this malware in various collections, such as Virus Total Intelligence, it seems that the malware is fairly common.  Many new versions of the malware show up in their collection every day.   The most common point of distribution seems to be from the Google Play Store.

A popularly reported stream of such apps was reported on by, well, just about everyone in July 2018.  Some of the headlines included:

Anubis Strikes Again: Mobile Malware continues to plague users in Official App Stores  - from IBM X-Force Research's Security Intelligence blog

Best graphic goes to Secure Computing Magazine:

A more recent post, from AlienVault, (20 days ago):  "Anubis Android Malware in the Play Store

A search in VirusTotal Intelligence reveals 62 new filehashes ONLY FROM TODAY (September 10, 2018) that match a definition name of "Anubis".  Some of the more popular names for the trojan on VirusTotal include:

DrWeb:  Android.BankBot.1679
Ikarus: Trojan-Banker.AndroidOS.Anubis
Kaspersky: HEUR:Trojan-Dropper.AndroidOS.Hqwar.bbSophos: Andr/BankSpy-AH 

Kaspersky authored a special article on this banking trojan, which they call "HQWar" back in April under the headline "Phantom menace: mobile banking trojan modifications reach all-time high: Mobile banking Trojans hit the list of cyber-headaches in Q2 2018"   In that article they said they have documented 61,000 versions! 

Kaspersky: Phantom Menace
As I mentioned Lukas at the beginning of this blog, ESET has produced an amazing number of articles on Android banking trojans lurking in the Google Play store.  Here are a few of them:

Fortnite’s Google Play rebuff sparks security concerns for Android users

There’s been no small outbreak of chaos in mobile land recently, all because of an astonishingly popular game called Fortnite.

Here’s the thing: people refer to Android as “open platform,” saying that, in theory, you can do what you want with it. In practice, you buy an Android phone and then you’re locked into apps from the Google Play store. You can switch things off to allow external installs, but it’s generally not advisable, as it leaves the gate open to potentially dubious installs.

You can delve into discussions about whether Android is open source or not, but the conversation is a little more complicated and nuanced than simply answering “yes” or “no.”

With all of the above discord thrown into a melting pot and swirled around, Fortnite steps in and rattles a few more cages.

What happened?

The developers, Epic, decided that they’d rather offer the game on mobile outside of Google Play, which drastically increases the amount of revenue not nibbled at by Google. There are multiple potential issues with this:

  • Having children enable the “allow installs from unknown sources” option on an Android is a recipe for disaster. It not only means many of them will inevitably end up downloading a rogue app by mistake, it also means that those phones are now less secure than the fully locked-down Android devices out there.
  • As pointed out on Twitter, even children with legitimate installs of Fortnite onboard will eventually fall foul to something nasty because the phone is splashing around in the metaphorical malware mud.
  • Everything comes down to how well promoted the official download link is, and how efficiently the game developers tell people to only grab the game from that one specific link.
  • Epic needs to ensure they don’t fall victim to sophisticated SEO scams pointing links away from their site and toward bad downloads, and also that their site security is top notch. If the page is compromised, a rogue download link might be waiting in the wings.

That’s how the initial landscape looked shortly after Epic’s announcement, and many predicted things would quickly go horribly wrong.

Did things go horribly wrong?

They most certainly did. In the end, it wasn’t even a rogue app causing mayhem but an issue found with Fortnite’s installer that allowed for the possibility of rogue apps onboard to hijack the installer and install their own junkware. The so-called “Man in the Disk” attack looks for apps not locking down external storage as well as they should, and quickly gets to work exploiting things happening under the hood.

The uproar over the installer kerfuffle was rounded off with a bit of a fierce debate on Twitter, because that’s what happens with everything in life now.

What happens next?

Whether they like it or not, Epic are now the standard bearer for “app developer going off range into the (incredibly wealthy and insecure) wilderness.” I don’t believe an Android app has attracted quite this much attention before, and that’s without throwing the no Google Play install angle into the mix.

What they’re also stuck with is the realization that for as long as they continue to remain outside of the Google Play ecosystem, stories will come back to haunt them regarding malware installs masquerading as the real thing, social engineering tricks convincing children to download dodgy Fortnite add-ons from Russian servers, and potential SEO poisoning leading would-be gamers astray.

Google Play certainly isn’t perfect, and plenty of rogue apps have been found lurking there through the years. I think most security professionals would argue it’s still an awful lot riskier to switch off the unknown source install ban than it is to visit Play and grab an app, though.

Let’s also not single out Epic on this one; it’s not just game developers taking tentative steps into the world of unknown installs—even mobile phone providers do it. About four or five years ago, I replaced my phone and took out a package deal with a well-known UK retailer. Part of the deal was “six free games for your Android.” Sounds great, right? Except I quickly realized that to get the games, you had to enable unknown source installs and download the six .APK files directly from the phone provider’s website.

At no point did anyone say anything about how turning off a security feature of the phone I’d just been sold was a bad idea. Nothing in the literature provided mentioned anything beyond, “Wow, turning this off is a really good idea, free games! Wow!” This is also at a time when I was regularly writing about fake Angry Birds/Flappy Bird downloads hosted on Russian websites.

Once installed (via dragging and dropping from desktop to mobile through the magic of USB cables), those fake bird-themed games would typically try and perform premium rate SMS shenanigans. This only worked because some people were running around with unknown source installs permitted, and they’d still have to try and social engineer the ones that weren’t into turning it on.

Unknown installs: so hot right now

Now we’re at a point where unknown source installs are not only mainstream but currently attached to the wheels of an absolute gaming juggernaut. There are serious security issues that Epic needs to consider, and it’s going to be fascinating looking back in six to 12 months and deciding if promoting unknown source installs in this way caused a maelstrom of security headaches from all sides, or a large pile of “absolutely nothing much happened.”

If it’s the latter, you can bet more developers will want to take advantage of this method. Then the threat landscape will become significantly more complicated in mobile land.

The post Fortnite’s Google Play rebuff sparks security concerns for Android users appeared first on Malwarebytes Labs.

New BondPath Android Spyware Retrieves Chat Data From Messaging Apps

Researchers uncovered an Android spyware family called BondPath that is capable of retrieving chats from several mobile messaging apps while spying on other types of information.

BondPath has been around since May 2016, but in July 2018, researchers at Fortinet observed that some samples were still in the wild. Those specimens masqueraded as “Google Play Store Services,” an application signed by an unknown developer known only as “hola.” The name of this malicious application is intentionally similar to Google Play Services, the title of the process Google uses to update Android apps from the Play Store.

Upon successful execution, BondPath assumes the ability to steal an infected device’s browser history, call logs, emails and SMS messages. But a few less frequently used capabilities made BondPath stand out to the researchers, such as its ability to monitor an infected smartphone’s battery status. It could also steal chats from WhatsApp, Skype, Facebook, Line and other mobile messaging apps.

The Rise and Fall of Spyware

According to Verizon’s “2018 Data Breach Investigations Report,” spyware and keylogger malware were involved in 121 security incidents and 74 data breaches in 2017. This threat category increased its activity during the second half of 2017 and the beginning of 2018, yielding a 56 percent increase in detections during the first quarter of 2018, according to Malwarebytes. Spurred in part by a series of large attack campaigns pushing Emotet, Malwarebytes named spyware as the top detected business threat for the quarter.

Near the end of the first quarter, spyware activity declined significantly. It continued falling throughout the second quarter, ultimately decreasing by 40 percent, according to Malwarebytes. In that span of time, TrickBot was the most prevalent form of spyware after it added the ability to hijack cryptocurrency earlier in the year.

How to Protect Against Mobile Threats

To defend their organizations against BondPath and similar mobile threats that originate in official app stores, security teams should keep applications and operating systems running at the current patch level, verify the legitimacy of unsolicited email attachments through a separate channel, and monitor their IT environment for the indicators of compromise (IoCs) listed in the IBM X-Force Exchange threat advisory.

Sources: Fortinet, Verizon, Malwarebytes, Malwarebytes(1)

The post New BondPath Android Spyware Retrieves Chat Data From Messaging Apps appeared first on Security Intelligence.

Mobile Menace Monday: FakeGift is the gift that keeps on frustrating

Last spring, we found yet another piece of riskware on Google Play we call Android/PUP.Riskware.FakeGift. Based on Hindi characters found in the code, we can assume it originates from India. With over 50,000 installs before being removed from Google Play, FakeGift apparently kept on giving—frustration to its users, that is.

Click to view slideshow.

Gift cash money

As the name implies, FakeGift offers just that—fake gifts. Admittedly, it does so in a kind of fun way.  Here’s how it works: Every day you are given 10 free “gifts.”  As shown below, after the opening splash screen, the home page displays a gift box.

Click to view slideshow.

Press the gift box and you’ll receive a “gift” in rupees. The amount of rupees gifted is random. The gifted amount is then added to a balance found in the upper right part of the screen.

After pressing the gift box 10 times, it will let you know you’re done for the day—even after closing and reopening.

Click to view slideshow.

You can also accumulate rupees by pressing “Share,” which redirects you to WhatsApp. Note that if you don’t have Whatsapp, it just gives an error message stating, “Whatsapp not installed on this device.”  Once in Whatsapp, simply pick a victim…er…friend to send a message. In Hindi, the message says:

सभी स्मार्टफोन यूजर ध्यान दे 📱📱📱ऑनलाइन पैसे 💰कमाने का एक बहुत ही सुनहरा अवसर हैं आपके पास, “इसे एक बार जरूर पढ़े”| 👇👇👇👇👇 🎁🎁🎁 गिफ्ट मनी में आपका स्वागत हैं🎁🎁🎁गिफ्ट मनी दे रहा हैं पैसे कमाने का एक सुनहरा मौका गिफ्ट खोले और पैसा कमाए | गिफ्ट मनी अप्प में आप रोजाना 400-500 रूपए आसानी से कमा सकते हो | महीने के 15000 से 20000 रूपए आपकी इनकम हो सकती हैं | दोस्तों आपको 1 दिन में 10 गिफ्ट मिलेंगे उन गिफ्ट को आपको खोलना हैं आपके लक के अनुसार गिफ्ट में कितने भी रूपए निकल सकते हैं और गिफ्ट मनी आपको फ्री में गिफ्ट नहीं दे रहा हैं आपको रोजाना अप्प में 10 मिनट का वर्क करना हैं उसी के पैसे आपको दे रहा हैं तो दोस्तों पैसे कमाने के इस अच्छे मोके को गवांये नहीं और अभी डाउनलोड करे और वर्क स्टार्ट कर दे| Download this link <hidden Google Play link>

Rough translation using Google Translate:

All Smartphone users pay attention 📱📱📱 Online money is a great opportunity to make money, “You must read it once.” 👇👇👇👇👇 में Welcome to Gift MoneyGift Money is giving you a golden opportunity to earn money, open gifts and earn money. You can easily earn 400-500 rupees per day in the Gift Money App. You can earn from 15,000 to 20000 rupees a month. Friends, you will get 10 gifts in 1 day, you have to open those gifts according to your luck, how many rupees can get in the gift and gift gift is not giving you a free gift. You have to work 10 minutes daily in the work of the money If you are giving it, then guys do not miss this good thing to earn money and download it now and start work. Download this link <hidden Google Play link>

Every WhatsApp message sent is an additional 10 rupees.

FakeGift, the gift that keeps on giving…absolutely nothing

After accumulating some rupees, you can then press “Payment” from the home screen to redeem.  As shown below, you have three payment options.

Picking PayPal, it pops up this message.

Translation: For Balance Transfer in Paypel First Time should be 5000 rupees. After that you can transfer the balance daily. Thank you.

Here’s where it gets shady. After you accumulate the required 5,000 rupees, you still can’t transfer the money. Angry Google Play reviews show the disappointment.

One review (very) roughly translates to, “The money has to be 5000 every time you are cutting money and not being added, this is a fake app. Friends, do not waste your time.”

The fun ends

Although fun at first, the realization that there’s no award at the end turns fun into frustration. For many, this comes only after sharing with multiple friends via WhatsApp. Using this method, the app was able to gain over 50,000 installs. Also, another variant was found using a different name, but playing the same game. It also received around 50,000 installs. The good news is the only damage done is wasted time and nothing worse. Stay safe out there!

The post Mobile Menace Monday: FakeGift is the gift that keeps on frustrating appeared first on Malwarebytes Labs.