Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Fraudsters spread a mobile trojan disguised as a Valorant game

May 28, 2020

Doctor Web specialists have uncovered a fraudulent campaign targeting mobile device owners. Cybercriminals are publishing misleading videos on YouTube, promoting a mobile version of a new Valorant game and prompting unsuspecting users to install it on their mobile devices. But in reality, a trojan is being installed instead of the real game. This trojan helps malware creators get rewards from various online affiliate programs.

The Valorant game is still under development and available only as a beta testing version on computers running Windows. However, fraudulent videos are created so that the gaming process on mobile devices seems plausible.

#drweb

#drweb

To make it appear more believable, these videos are accompanied by a detailed description and numerous comments from other users who seemingly successfully installed the game on their mobile devices. All these comments are fake.

#drweb

#drweb #drweb

To download the game, users are prompted to visit a website designed to look like the official Valorant project website. It contains two links that apparently lead to the game download. If a visitor tries to use the link from the iOS device, the website will redirect the request to the affiliate program web portal. If the request is performed from an Android device, the APK file with Android.FakeApp.176 will be downloaded instead. Since this file is received from a third-party source rather than the official Google Play store, on most modern devices a necessary system security settings change must be applied to install it.

#drweb #drweb #drweb #drweb

This malware imitates the game’s launch process but then offers a device validation to “unlock” it. To do so, the user is asked to download and install two additional apps.

#drweb

#drweb

#drweb

#drweb

If the user agrees to “unlock” the game, a trojan loads the same affiliate service website, as with the iOS devices, in the browser. This website checks various parameters and redirects the user to another affiliate program website. There, the visitor is proposed to complete the tasks in order to receive a reward. In this example the user is required to install and launch a game from Google Play, as well as to participate in an online survey.

#drweb #drweb #drweb #drweb

Such websites represent typical services that help clients earn money through affiliate clicks, artificial increases in the number of website visitors, monetization through the software advertizing and pay-per-install schemes in order to increase software popularity and number of installations, as well as monetizing online surveys and other online marketing campaigns on the Internet.

In fact, some of these services provide real rewards to users. For example, they can receive an in-game currency or other game bonuses upon completing the task. However, in the case of the Android.FakeApp.176 trojan, users receive no reward at all. The mobile version of the Valorant game does not currently exist, and the only purpose of this fake app is to load the affiliate website to help malware developers receive rewards by taking advantage of their victims.

This type of illegal profiting through use of malicious apps spread as legitimate games isn’t new. For example, the same version of the Android.FakeApp.176 trojan was spread under the guise of the mobile version of the recent Call of Duty: Warzone game, which is only available on consoles and PC. Moreover, back in 2018 fraudsters were spreading one of the modifications of this trojan, disguised as the Fortnite game, and as the Apex Legends game back in a 2019. Both games quickly gained popularity among players, which malware creators quickly turned to their own advantage. The new title announced less than two months ago has already gained millions of fans and scammers promptly stepped in once again.

Doctor Web recommends users take the information from the Internet with a grain of salt and not open suspicious links or install dubious applications from unknown sources.

Dr. Web for Android Anti-Virus solutions reliably detects and deletes all known modifications of the Android.FakeApp.176 from Android devices, keeping our users well protected from this threat.

More details about Android.FakeApp.176

Dr.Web Mobile Security

Ваш Android нуждается в защите.

Используйте Dr.Web

  • Первый российский антивирус для Android
  • Более 140 миллионов скачиваний только с Google Play
  • Бесплатный для пользователей домашних продуктов Dr.Web

Скачать бесплатно

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2020

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040