Fake Mobile CCleaner App Tricking Users | Avast
Recently, Avast has discovered that a new fake mobile CCleaner app has been published in the China Baidu App Store (百度手机助手) and it’s specified as Certified Official Version (官方版).
This caught our eye because Avast hasn’t published any official versions of the CCleaner app in the Baidu App Store — and the story begins.
The Baidu App Store
You can clearly see how this fake CCleaner app is being described on the web page and trying to trick users into downloading it. It is being presented as the Certified Official Version (官方版). It also has a Chinese title which makes it appear to be official in the Baidu App Store. One noticeable flaw, however, is in how they incorrectly categorized it under “办公学习 (office learning utilities).” Another red flag is that it is receiving bad scores whereas, in other app stores around the world, CCleaner has top scores.
Fake app in Baidu App Store
Analyzing the fake app with apklab.io
With Avast’s latest mobile threat intelligence platform, apklab.io, researchers can easily see the difference between this fake app and the genuine CCleaner app without trying to reverse engineer the app.
Comparing basic app metadata
First, you quickly notice two things: 1) the fake app is repackaged with a different app name (CCleaner垃圾清理) and a different package name (com.star.ccleaner) and 2) one extra service was introduced with the fake app.
Fake manifest (above)
Genuine manifest (above)
Additionally, the fake CCleaner app is signed by a leaked certificate as shown below.
You can also see that the file info presented by apklab.io shows different hashes and file sizes that the fake app has as compared to the genuine CCleaner app.
The fake app has additional meta attached to AndroidManifest.xml as shown here:
What does the fake CCleaner app do?
The fake CCleaner app uses the good brand reputation of the genuine CCleaner app 4.11.1 and repackages it to include adware in order to aggressively monetize mainland China users.
Let’s go deeper
By using the Apklab.io static analysis tool, you can see other differences between the fake CCleaner app and the genuine CCleaner app. Researchers can easily jump to sections they are interested in.
First, here is the summary of additional packed libraries.
- Umeng – China Mobile App Analytics Provider
- Tencent Ad Platform – 腾讯广告
- Package: com.qq.e
- https://e.qq.com/ads/
- Tencent Browsing Service – 腾讯浏览服务 (A WebView wrapper by Tencent )
- Package: com.tencent.smtt, com.tencent.tbs
- U8SDK – China Gaming apps platform
- Package: com.u8.sdk
- com.pay.sdk – Unknown payment SDK
- com.erong – Unknown payment SDK
Interesting sections analyzed by apklab.io
You can also see that there are many new sections in the fake CCleaner app which do not exist in the genuine CCleaner app.
Followed by newly added repackaged implementations of libraries.
Additional strings introduced by packed libraries
Targeting the Chinese market
When running this fake app, it displays some ads in the beginning, but then it will freeze. So, users can run it, but it is not fully functional. It’s highly likely that this fake app can only be well executed on China-only devices and under the China network environment.
What should users do?
At the time of the writing of this article, we found Baidu is the only app store that published this fake mobile CCleaner app. We are not sure if this app will keep trying to publish in other stores or in other markets, but it is highly possible.
Even though we didn’t observe any root or ransomware behavior from this fake app, we strongly urge users to uninstall this fake app immediately.
And, although mainland China is not Google Play accessible, we believe some common rules can still be shared to prevent users from installing fake apps.
Check user reviews
Users should always read both the positive and negative reviews of an app before downloading it. Even if an app has positive reviews, one can usually tell if these are fake or genuine; fishy positive reviews can be a sign that an app shouldn’t be trusted.Check the name of the publisher
The name usually tells you everything. CCleaner would never have an app listed as developed by someone who is not CCleaner.Check app permissions
Another important step is to carefully check the permissions an app is requesting. If an app requests permissions that don’t make sense and don’t seem necessary for the app to function properly, users should think twice before downloading it.Check the category
See if the app is in an appropriate category. If not, that could be a red flag.Check the description
Do the performance and promises seem over-the-top? If they overpromise, be wary.Uninstall apps immediately when any abnormal behaviors observed
Avast has contacted the Baidu app store to get this fake app removed.
Files analyzed
Fake | com.star.ccleaner | db60d8a67057a9ee760c556575dd38206f430f5bca758dacdd4edbac6abeb98a |
Genuine | com.piriform.ccleaner | c7e92d7fa29ad8477dfed133b6e8d67233e575577673e6ce03ec5f3a8e24065a |
Baidu app link: https://shouji.baidu.com/software/25583524.html
*** This is a Security Bloggers Network syndicated blog from Blog | Avast EN authored by Avast Blog. Read the original post at: https://blog.avast.com/fake-mobile-ccleaner-app-tricking-users
