Fake FaceApp crashes during installation, installs MobiDash malware

MobiDash malware is being delivered via a fake FaceApp module that is hosted on third-party sites

Over 500 people have been infected with MobiDash adware after downloading a fake version of FaceApp

Cybersecurity researchers at Kaspersky spotted a new malware campaign that incorporates the fake version of the viral FaceApp application. Those who download and install the malicious version of the app will immediately notice an extremely high amount of advertisements hogging their phones, and this is because it gets infected with MobiDash malware.

Kaspersky security experts spotted the first surge of infections back on July 7. However, only a week later, the fake FaceApp was already downloaded by 500 unique users. The application is hosted on third-party sites – and it is a well-known technique to distribute malware, although Android and iOS users seem not to get the memo.

Once installed, the malicious app simulates the crash, and then seemingly uninstalls itself. However, what users are not aware of, is that the malicious code is injected to run in the background. Igor Golovin, the security analyst from Kaspersky, explains:^[1]

Once the application is downloaded from unofficial sources and installed, it simulates a failure and is subsequently removed. After that, a malicious module in the application rests discreetly on the user's device, displaying adverts.

Cybercriminals exploit the FaceApp challenge in order to infect hundreds of users with MobiDash malware

The application, which initially was used as a fun-type of experience where users can age their photos, was recently scrutinized – it turned out that the developers of FaceApp upload the pictures to the database without directly asking for permission. Some claims even linked the app to Russian state-initiated research, and that a mere installation of the app can result in the creation of a profile that links a picture to the name; nevertheless, some news outlets disagree with these claims.^[2]

The FaceApp application became popular back in 2017, but it has been really on the rise lately due to the #AgeChallenge – people flooded social networks like Facebook and Twitter with the pictures of their older selves. Nevertheless, due to such immense popularity, it seems like cybercriminals are fast to turn the hundreds of fans' phones into ad spamming bots, which consequently generates profits. In the next few months, the infection count is meant to rise, as users continue to download apps from unofficial sources.

Fake versions of malicious apps become a successful business model to cyber villains

Fake versions of the very popular apps are not a new thing – numerous others were spotted being distributed by threat actors. Smash hit Pokemon Go^[3] cheat apps and other fake versions delivered RATs on users' devices, and Fortnite's cheaters were bringing data-stealing malware on their computers^[4] – these are just a few examples of hackers making use of the overly popular titles.

Downloading apps from third-party sites is one thing, but ESET security researcher Lukas Stefanko has now also spotted a new scam campaign that targets the audience of #AgeChallenge. According to him, a new fake “Pro” version of the app is being promoted by cybercriminal on fake websites and YouTube videos:^[5]

Scammers have been trying, to various ends, to exploit this wave of interest, using a fake “Pro” – yet free – version of the application as a lure. The fraudsters have also made an effort to spread the word about this fictitious version of the currently-viral app – at the time of writing this blogpost, a Google search for “FaceApp Pro” returns some 200,000 articles.

Users should be extremely careful when using applications that store personal data like your pictures. Even worse is when such application is fake – it will also result in a headache while trying to remove the malicious payload from the phone. For those who got infected, experts recommend scanning the device with anti-malware software – it should immediately terminate MobiDash adware and all its components.