What you think is a "fix it" is actually a trap!

Studies have shown that third-party app stores are often hotbeds of malware, specifically a malicious version of popular applications. In addition to malicious applications, we have seen a noticeable increase in "downloader applications" in these stores, with the main function of downloading other applications that may be harmful to mobile users.

Download application in third party app store in China

Trend Micro found that thousands of applications in China's most popular third-party Android app Store have been specifically packaged to trick users into downloading other applications.

For example, disguised as the game application of the Fire cloud evil God. Our analysis shows that this is a re-encapsulated application that jumps out of the window after installation. This information informs the user that the system lacks the core components required by some applications and urges them to fix them for a "better user experience." Once the "Repair" button is pressed, the download will begin.

(Left: Game app; Right: Indicates that the device needs to download component information)

When "fix" is downloaded, the picture information of other applications will be asked to be clicked by the user. We notice that the downloaded app is not necessarily the one advertised in the image, and that clicking on any image will download other apps.

If the user does not press the picture, the picture will stop on the screen until the download is complete. The user can press "X" to close the picture, but another image will appear immediately to replace it.

When the download is complete, the user is asked to install the components. This is actually a downloader, com.andriod.frames.

(This component is Com.andriod.frames)

When the installation is complete, com.andriod.frames is executed in the background, which downloads other applications and asks the user to install them.

(Com.andriod.frames executes and downloads other applications in the background)

The dangers of the downloader application

We searched the database for these applications and found their suite names to be random.

(application's random suite name)

We also notice that they are packaged in the same kit, Com.android.yuyouwall, whose main activity is to trick users into downloading applications such as com.andriod.frames. Based on these points, we believe that these applications are automatically generated.

(Program code within the application shows download behavior)

Currently, we see about 5,000 applications with the same behavior in this third-party app store. These applications appear to be popular applications like games, and they trick users into downloading so-called core components or data suites, but they are actually downloader.

This type of application behavior poses serious security concerns for mobile devices. The downloaded application may be malicious software or an application that will dispatch a large number of ads to users. Although the installation of these applications still requires user authorization, it is considered a "temporary" security measure, but the incessant notifications and bounce windows are still annoying.

Trend Micro warns you to be especially careful when downloading from third-party app stores, preferably by downloading apps from the official App Store (Google Play Store) or the developer's official website. In addition, mobile users should invest in mobile security solutions that can really protect their devices from these threats.

Trend Micro's mobile security protection software protects users from these downloader applications and detects them as androidos_yuyou. Hbt.

What you think is a "fix it" is actually a trap!