Over ten million users have been duped in installing a fake Samsung app named “Updates for Samsung” that promises firmware updates, but, in reality, redirects users to an ad-filled website and charges for firmware downloads.
“I have contacted the Google Play Store and asked them to consider removing this app,” Aleksejs Kuprins, malware analyst at the CSIS Security Group, told ZDNet today in an interview, after publishing a report on the app’s shady behavior earlier today.
The app takes advantage of the difficulty in getting firmware and operating system updates for Samsung phones, hence the high number of users who have installed it.
“It would be wrong to judge people for mistakenly going to the official application store for the firmware updates after buying a new Android device,” the security researcher said. “Vendors frequently bundle their Android OS builds with an intimidating number of software, and it can easily get confusing.”
“A user can feel a bit lost about the [system] update procedure. Hence can make a mistake of going to the official application store to look for system update.”
The “Updates for Samsung” app promises to solve this problem for non-technical users by providing a centralized location where Samsung phone owners can get their firmware and OS updates.
But according to Kuprins, this is a ruse. The app, which has no affiliation to Samsung, only loads the updato[.]com domain in a WebView (Android browser) component.
Rummaging through the app’s reviews, one can see hundreds of users complaining that the site is an ad-infested hellhole where most of them can’t find what they’re looking — and that’s only when the app works and doesn’t crash.
The site does offer both free and paid (legitimate) Samsung firmware updates, but after digging through the app’s source code, Kuprins said the website limits the speed of free downloads to 56 KBps, and some free firmware downloads eventually end up timing out.
“During our tests, we too have observed that the downloads don’t finish, even when using a reliable network,” Kuprins said.
But by crashing all free downloads, the app pushes users to purchase a $34.99 premium package to be able to download any files.
Source: Fake Samsung firmware update app tricks more than 10 million Android users | ZDNet
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft