6 Seemingly Harmless Apps From the Google Play Store Will Infect Your Android Phone With Malware

That calorie counter or dot-connecting game may not be what it looks like.

EXPERT OPINION BY MINDA ZETLIN, AUTHOR OF 'CAREER SELF-CARE: FIND YOUR HAPPINESS, SUCCESS, AND FULFILLMENT AT WORK' @MINDAZETLIN

JAN 6, 2024
GettyImages-1218775269

Illustration: Getty Images

McAfee released a report last month identifying a total of 14 Android apps containing malware to create a “back door” that allows malicious software to track your location, carrier, apps on your phone and so on, and can allow others to take over your device. Though Google has removed the apps from its Play Store, some had been there since 2020. 

The most popular of these innocent-seeming apps do things like help you count calories, play a dot-connecting game, or get your daily horoscope. In total, they’ve been downloaded more than 338,000 times.

Here are the six most popular of these malicious apps. You can find the full list of 14 malware apps in McAfee’s blog post about them. It’s smart to check your phone right now to see if you happen to have any of them installed.

  1. Essential Horoscope for Android (installed 100,000 times)
  2. 3D Skin Editor for PE Minecraft (installed 100,000 times)
  3. Logo Maker Pro (installed 100,000 times)
  4. Auto Click Repeater (installed 10,000 times)
  5. Count Easy Calorie Calculator (installed 10,000 times)
  6. Sound Volume Extender (installed 5,000 times)

The apps use software that McAfee calls “Xamalicious,” because it’s based on the open-source framework Xamarin, which is owned by Microsoft. The very first thing the apps do when opened is ask the user to enable accessibility services, supposedly a necessity for the app to function as intended. Enabling accessibility services for the app might seem harmless enough, and I suspect a lot of users–including me–would do it without too much thought. It’s a mistake, though, because enabling accessibility services is what allows the software to create its back door. 

Once that’s done, the malicious software begins collecting information about your phone, your location, and you. It sends that data back to its central command, wherever that might be. How is that information used? Apparently the malware is looking at specific criteria, such as which carrier you use, whether the device is “rooted” (an operation that gives the user–and the malware–administrator controls), where you are located geographically, whether accessibility services are enabled, and more.

If your phone meets the desired criteria, Xamalicious will then download additional malware, which McAfee calls the “payload.” It’s not entirely clear what the payload will do if you’re unlucky enough to receive it. With the admin powers that Xamalicious grants itself, the payload could do almost anything, including completely take over your device.

But, more likely, it will deliver unwanted and fraudulent ads, McAfee says. “We identified a link between Xamalicious and the ad-fraud app ‘Cash Magnet’ which automatically clicks ads, installs apps, and other actions to fraudulently generate revenue while users that installed it may earn points that are supposed to be redeemable as a retail gift card,” McAfee’s Threat Research Team reports.

Cash Magnet was identified as malware and removed from the app store, but the team that developed it appears to have infiltrated several other apps, including Dots: One Line Connector, and is using them to deliver fraudulent ads. It seems possible that these new malware apps are intended to do the same.

How to keep your Android phone (relatively) safe.

What should you do if you have downloaded one of these apps? If it’s still there, uninstall it. It might be gone already. A Google representative told Tom’s Guide that company had already uninstalled these apps from users’ phones for those users who have Google Play Protect, which comes pre-installed on many Android phones.

Even if you don’t have any of these apps installed, new ones pop up all the time. So start by making sure you have Play Protect on your phone. Opening the Play Store app and tap your profile at the top right. Play Protect may come up in the list, or you may need to tap Settings, and then About. Play Protect can be turned on and off, so make sure it’s turned on. (On my phone, when I tapped on Play Protect, it said it had scanned my device one day ago.) In addition to Play Protect, consider installing antivirus software on your phone.

Perhaps most important, be judicious about downloading apps. Although incidents like these tell us the Play Store’s security is far from perfect, you’re still safer downloading apps from there than “sideloading” them from other sources. Before downloading any app, read multiple reviews, not only on the Play Store (where hackers are liable to post fake reviews), but also on independent review sites. Most of all, if an app asks you to grant it permissions that don’t make obvious sense, or for you to enable accessibility services, think long and hard before you do it.

The opinions expressed here by Inc.com columnists are their own, not those of Inc.com.

Inc Logo
Top Tech

Weekly roundup of the latest in tech news