Android app

A new category of activity tracking applications has been having massive success recently on Google Play, Android's official app store, having been downloaded on over 20 million devices.

The applications promote themselves as health, pedometer, and good habit-building apps, promising to give users random rewards for staying active in their daily lives, reaching distance goals, etc.

According to a report by the Dr. Web antivirus, though, the rewards may be impossible to cash out or are only made available partially after forcing users to watch a large number of advertisements.

Three notable examples listed in Dr. Web's report are:

  • Lucky Step – Walking Tracker – 10 million downloads
  • WalkingJoy – 5 million downloads
  • Lucky Habit: health tracker – 5 million downloads
Shady pedometer apps on Google Play
Shady pedometer apps on Google Play (BleepingComputer)

Dr. Web says all three apps communicate with the same remote server address, indicating a common operator/developer. At the time of writing, all three remain available on Google Play.

The antivirus firm says the apps do not allow withdrawals before users have accumulated a significant amount of rewards. Even then, they promise to unlock "earnings" after users sit and watch a dozen advertisement videos.

Even after watching a round of ads, the apps push even more ads allegedly to "speed up" the withdrawal process. 

In addition to these signs, Dr. Web reports that an earlier version of 'Lucky Step – Walking Tracker' offered the option to convert in-app rewards to gift cards that users could use for purchasing goods in actual online stores.

In recent versions of the app, however, this functionality has been removed from the options, so it's not clear what the rewards can be converted to anymore.

Some users on Google Play left reviews stating that 'Lucky Step - Waling Tracker' acts as adware, loading full-screen ads upon screen unlock, even overriding active windows.

User comments about Lucky Step on Google Play
User comments about Lucky Step on Google Play (BleepingComputer)

Another example of a similar app that's still available on Google Play is 'Wonder Time,' a rewards app that has amassed 500,000 downloads.

The app promises to reward real money for completing various tasks like installing additional applications and games.

However, the tokens users receive for each action are minuscule compared to the minimum earnings withdrawal threshold set by the developer.

Wondertime app on Google Play
Wondertime app on Google Play (BleepingComputer)

Phishing games

In the same report, Dr. Web warned that phishing apps disguised as investment apps and games were found on Google Play, measuring over 450,000 downloads.

The apps connect to a remote server upon launch and receive a configuration instructing them on what to do. Typically, the instructions involve loading phishing pages that request users to enter sensitive details.

The malicious game apps observed by Dr. Web are the following:

  • Golden Hunt – 100,000 downloads
  • Reflector – 100,000 downloads
  • Seven Golden Wolf blackjack – 100,000 downloads (still on Google Play)
  • Unlimited Score – 50,000 downloads
  • Big Decisions – 50,000 downloads
  • Jewel Sea – 10,000 downloads
  • Lux Fruits Game – 10,000 downloads
  • Lucky Clover – 10,000 downloads
  • King Blitz – 5,000 downloads
  • Lucky Hammer – 1,000 downloads
One of the malicious games still on Google Play
One of the malicious games still on Google Play (BleepingComputer)

If you have any of the above phishing apps installed on your Android device, you should uninstall them immediately and then run an AV scan to locate and remove any remnants.

BleepingComputer has contacted Google to ask about the safety of the applications that are still on the Play Store, and we will update this post as soon as we receive a response.

Related Articles:

Free VPN apps on Google Play turned Android phones into proxies

Savvy Seahorse gang uses DNS CNAME records to power investor scams

More Android apps riddled with malware spotted on Google Play

New Darcula phishing service targets iPhone users via iMessage

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts