A new category of activity tracking applications has been having massive success recently on Google Play, Androids official app store, having been downloaded on over 20 million devices. The applications promote themselves as health, pedometer, and good habit-building apps, promising to give users random rewards for staying active in their daily lives, reaching distance goals, etc. According to a report by the Dr. Web antivirus the rewards may be impossible to cash out or are only made available partially after forcing users to watch a large number of advertisements. Dr. Web says all three apps communicate with the same remote server address, indicating a common operator/developer. At the time of writing, all three remain available on Google Play. The antivirus firm says the apps do not allow withdrawals before users have accumulated a significant amount of rewards. They promise to unlock Earnings after users sit and watch a dozen advertisement videos. Even after watching a round of ads, the apps push even more ads allegedly to Speed up the withdrawal process. In addition to these signs, Dr. Web reports that an earlier version of Lucky Step - Walking Tracker offered the option to convert in-app rewards to gift cards that users could use for purchasing goods in actual online stores. In recent versions of the app this functionality has been removed from the options, so its not clear what the rewards can be converted to anymore. Some users on Google Play left reviews stating that Lucky Step - Waling Tracker acts as adware, loading full-screen ads upon screen unlock, even overriding active windows. Another example of a similar app thats still available on Google Play is Wonder Time, a rewards app that has amassed 500,000 downloads. The app promises to reward real money for completing various tasks like installing additional applications and games. The tokens users receive for each action are minuscule compared to the minimum earnings withdrawal threshold set by the developer. In the same report, Dr. Web warned that phishing apps disguised as investment apps and games were found on Google Play, measuring over 450,000 downloads. The apps connect to a remote server upon launch and receive a configuration instructing them on what to do. Typically, the instructions involve loading phishing pages that request users to enter sensitive details. If you have any of the above phishing apps installed on your Android device, you should uninstall them immediately and then run an AV scan to locate and remove any remnants. BleepingComputer has contacted Google to ask about the safety of the applications that are still on the Play Store, and we will update this post as soon as we receive a response.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 30 Jan 2023 15:56:02 +0000