Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips

There are over 30 mobile anti-virus (AV) products for Android available on Google Play. Regardless of how well your product works ultimately it’s the number of downloads that determine how your app is ranked in the app stores. The app developer therefore has a big incentive to show a large number of downloads compared to competitive AV products. It should not come as a surprise that app vendors including mobile AV companies would turn to deceptive pay-per-install practices to improve their download ranking.

Pay-per-install is a scheme where a vendor is driving traffic to their Google Play page with the intent of improving their download/install count. Because AV is a multi-million dollar business, companies sometimes yield to the temptation to invest in such questionable practices..

Typical  scenario: You’re visiting a download site for songs and third-party apps. All of a sudden a pop up appears identifying the make and model of your device claiming that it’s infected with malware.

Screenshot_2015-01-05-08-58-57 Screenshot_2015-01-05-09-01-03 Screenshot_2015-01-05-16-45-55s,

The notification is followed by a redirection to a site claiming to offer an online scanning service for malware. The user interface of the site is similar in design to a apps that used by mobile AV companies.

Screenshot_2015-02-24-20-48-06 Screenshot_2015-02-24-20-48-10 Screenshot_2015-02-24-20-48-55

A progress bar indicating the current status of the scan as well as notification of any threats that are found is displayed. All of this is just an elaborate ruse to fool the unsuspecting user into thinking that they are actually infected with genuine malware. The final touch to the scam is the use of genuine malware names at the end of the scan, in case the victim decided to search on the Internet for additional information.


There are several variations to ‘Fake AV’ scam above, including the use of local languages such Japanese, but the goal is the same: to get you to download a product from Google Play. Even though the end product that is being suggested in the end may be a legitimate one, the false pretense of claiming that your device was infected to begin with, then getting you to download an app is extremely deceitful and brings up questions about ethics and business practices.