Story image

ESET warns Android users to beware of fake QuadRooter patch apps

18 Aug 2016

ESET is warning Android users to watch out for fake patch apps, which are possibly the first of their kind to take advantage of the newly-discovered QuadRooter vulnerability.

The two fake patch apps in question are the "Fix Patch QuadRooter" by Kiwiapps Ltd, one of which cost 0.99 EUR (AU$1.40 or NZ$1.50), which does not patch anything but instead distributes adware.

“In the past, we have seen this technique used to target users through the Windows platform. For example, some e-criminals would trick online stores into installing a fake security patch for a critical vulnerability in the Magento ecommerce platform. This technique would allow hackers to easily access the admin credentials for vulnerable e-stores. One of those attacks relied on a fake patch to deliver malware which then used the very bug that it was supposed to be fixing,” says Nick FitzGerald, senior research fellow at ESET.

ESET states that malicious apps often come alongside free versions, tutorials and cheat apps, meaning security is more important than ever. Fake patch apps may increasingly be used to target unsuspecting victims who are not as careful about mobile security as they could be. The company says that no vulnerabilities can be patched through an app, and any that claim to do so are scams.

FitzGerald provides some tips to help stop you becoming a victim.

“Unfortunately, patching with Android isn’t as easy and straightforward as some would imagine. It’s important to understand that malware like QuadRooter needs to be delivered in the form of an app. Unless “Unknown Sources” is enabled in your settings and you manually install an app from an untrusted source, this isn’t a threat. Here are some best practices for downloading apps and addressing the need for patch updates:

  • Make sure you have the Android “Verify Apps” feature enabled (if not automatically enabled from Android version 4.2 Jelly Bean)
  • Watch for the official patches prepared by Android developers themselves, depending on your device’s manufacturer
  • Never install non-official apps or download from a non-official store, and avoid clicking weird-looking links received by email or text
  • Choose the right security protection, specifically tailored for mobile use
  • Remember that if an app promises to fix something in your system, it is most likely a scam.”
SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.