Trojan Apps Downloaded Over 2.1 Million Times Found on Google Play
Security experts from Doctor Web have reported the discovery of a new batch of apps infected with the FakeApp malware family on the Google Play store. In total, these apps have been downloaded at least 2,160,000 times. One of the malware samples used DNS to secretly communicate with its command and control servers.
Researchers remind users that the main goal of many Android.FakeApp trojans (often simply called FakeApp) is to redirect users to various websites. Technically, these malicious programs are quite simple. When launched, they receive a command to open a specific URL, so instead of the expected app or game, users see unwanted website content on their device screens.
One particular sample, Android.FakeApp.1669, caught the attention of specialists due to its use of a modified dnsjava library. This allows the trojan to receive configuration data from a malicious DNS server, which contains the target link. The configuration is only delivered when the infected device is connected to the internet through certain providers (such as mobile internet). In other situations, the trojan remains inactive.
According to researchers, this FakeApp variant has many modifications that disguise themselves as different apps and are distributed, including through the official Google Play store. Known variants of the trojan have been downloaded from the official Android store at least 2,160,000 times.
Examples of Infected Apps
Below are some of the Android.FakeApp.1669 variants identified by Doctor Web analysts on Google Play. The researchers found even more infected apps, but some have already been removed.
| App Name | Number of Downloads |
|---|---|
| Split it: Checks and Tips | 1,000,000+ |
| FlashPage parser | 500,000+ |
| BeYummy – your cookbook | 100,000+ |
| Memogen | 100,000+ |
| Display Moving Message | 100,000+ |
| WordCount | 100,000+ |
| Goal Achievement Planner | 100,000+ |
| DualText Compare | 100,000+ |
| Travel Memo | 100,000+ (removed) |
| DessertDreams Recipes | 50,000+ |
| Score Time | 10,000+ |
How the Trojan Works
When launched, this version of FakeApp makes a DNS request to its command server to obtain a TXT record associated with the target domain name. The server only responds if the infected device is connected through specific providers. The trojan uses modified code from the open-source dnsjava library to send these DNS requests.
Normally, TXT records contain domain information and other technical data, but in this case, they hold an encoded configuration for the malware’s operation.
All trojan modifications are tied to specific domain names, allowing the DNS server to send a unique configuration to each one. Furthermore, the subdomain names are unique for each infected device and encode device-specific data, such as:
- Device model and brand
- Screen size
- Identifier (consisting of two numbers: the time the trojan app was installed and a random number)
- Whether the battery is charging and its current charge percentage
- Whether developer options are enabled
For example, the trojan variant from the Goal Achievement Planner app requested a TXT record for the domain 3gEBkayjVYcMiztlrcJXHFSABDgJaFNNLVM3MjFCL0RTU2Ftc3VuZyAg[.]simpalm[.]com, the variant from Split it: Checks and Tips requested a record for 3gEBkayjVYcMiztlrcJXHFTABDgJaFNNLVM3MjFCL0RTU2Ftc3VuZyAg[.]revolt[.]digital, and the variant from DessertDreams Recipes for 3gEBkayjVYcMiztlrcJXHFWABDgJaFNNLVM3MjFCL0RTU2Ftc3VuZyAg[.]outorigin[.]com.
Decoding the Configuration
To decode the contents of these TXT records, the following steps are required: reverse the string, decode it from Base64, decompress it using gzip, and split it into lines using the ÷ character.
The resulting data looks like this (example from the TXT record for the Goal Achievement Planner app):
- url: hxxps[:]//goalachievplan[.]pro
- af_id: DF3DgrCPUNxkkx7eiStQ6E
- os_id: f109ec36-c6a8-481c-a8ff-3ac6b6131954
This means the trojan loads the link in a WebView inside its own window, overlaying the main app interface. The link leads to a site that starts a long chain of redirects, ultimately landing on an online casino website.
As a result, the malware essentially turns into a web app that displays the loaded website’s content, rather than the functionality originally promised on the Google Play app page.
When the trojan does not have an internet connection through the targeted providers, or when working offline, it operates as originally stated (provided the malware creators included any fallback functionality).