ESET is warning Android users to watch out for fake patch apps, which are possibly the first of their kind to take advantage of the newly-discovered QuadRooter vulnerability.
The two fake patch apps in question are the "Fix Patch QuadRooter" by Kiwiapps Ltd, one of which cost 0.99 EUR (AU$1.40 or NZ$1.50), which does not patch anything but instead distributes adware.
“In the past, we have seen this technique used to target users through the Windows platform. For example, some e-criminals would trick online stores into installing a fake security patch for a critical vulnerability in the Magento ecommerce platform. This technique would allow hackers to easily access the admin credentials for vulnerable e-stores. One of those attacks relied on a fake patch to deliver malware which then used the very bug that it was supposed to be fixing,” says Nick FitzGerald, senior research fellow at ESET.
ESET states that malicious apps often come alongside free versions, tutorials and cheat apps, meaning security is more important than ever. Fake patch apps may increasingly be used to target unsuspecting victims who are not as careful about mobile security as they could be. The company says that no vulnerabilities can be patched through an app, and any that claim to do so are scams.
FitzGerald provides some tips to help stop you becoming a victim.
“Unfortunately, patching with Android isn’t as easy and straightforward as some would imagine. It’s important to understand that malware like QuadRooter needs to be delivered in the form of an app. Unless “Unknown Sources” is enabled in your settings and you manually install an app from an untrusted source, this isn’t a threat. Here are some best practices for downloading apps and addressing the need for patch updates:
- Make sure you have the Android “Verify Apps” feature enabled (if not automatically enabled from Android version 4.2 Jelly Bean)
- Watch for the official patches prepared by Android developers themselves, depending on your device’s manufacturer
- Never install non-official apps or download from a non-official store, and avoid clicking weird-looking links received by email or text
- Choose the right security protection, specifically tailored for mobile use
- Remember that if an app promises to fix something in your system, it is most likely a scam.”