Recently, Avast has discovered that a new fake mobile CCleaner app has been published in the China Baidu App Store (百度手机助手) and it’s specified as Certified Official Version (官方版).
This caught our eye because Avast hasn’t published any official versions of the CCleaner app in the Baidu App Store -- and the story begins.
The Baidu App Store
You can clearly see how this fake CCleaner app is being described on the web page and trying to trick users into downloading it. It is being presented as the Certified Official Version (官方版). It also has a Chinese title which makes it appear to be official in the Baidu App Store. One noticeable flaw, however, is in how they incorrectly categorized it under “办公学习 (office learning utilities).” Another red flag is that it is receiving bad scores whereas, in other app stores around the world, CCleaner has top scores.
Fake app in Baidu App Store
Analyzing the fake app with apklab.io
With Avast’s latest mobile threat intelligence platform, apklab.io, researchers can easily see the difference between this fake app and the genuine CCleaner app without trying to reverse engineer the app.
Comparing basic app metadata
KFirst, you quickly notice two things: 1) the fake app is repackaged with a different app name (CCleaner垃圾清理) and a different package name (com.star.ccleaner) and 2) four extra activities and one extra service were introduced with the fake app.
Fake manifest (above)
Genuine manifest (above)
Additionally, the fake CCleaner app is signed by a leaked certificate as shown below.
You can also see that the file info presented by apklab.io shows different hashes and file sizes that the fake app has as compared to the genuine CCleaner app.
The fake app has additional meta attached to AndroidManifest.xml as shown here:
What does the fake CCleaner app do?
The fake CCleaner app uses the good brand reputation of the genuine CCleaner app 4.11.1 and repackages it to include adware in order to aggressively monetize mainland China users.
Let’s go deeper
By using the Apklab.io static analysis tool, you can see other differences between the fake CCleaner app and the genuine CCleaner app. Researchers can easily jump to sections they are interested in.
First, here is the summary of additional packed libraries.
You can also see that there are many new sections in the fake CCleaner app which do not exist in the genuine CCleaner app.
Followed by newly added repackaged implementations of libraries.
Additional strings introduced by packed libraries
Targeting the Chinese market
When running this fake app, it displays some ads in the beginning, but then it will freeze. So, users can run it, but it is not fully functional. It’s highly likely that this fake app can only be well executed on China-only devices and under the China network environment.
What should users do?
At the time of the writing of this article, we found Baidu is the only app store that published this fake mobile CCleaner app. We are not sure if this app will keep trying to publish in other stores or in other markets, but it is highly possible.
Even though we didn’t observe any root or ransomware behavior from this fake app, we strongly urge users to uninstall this fake app immediately.
Check user reviews Users should always read both the positive and negative reviews of an app before downloading it. Even if an app has positive reviews, one can usually tell if these are fake or genuine; fishy positive reviews can be a sign that an app shouldn’t be trusted.
Check the name of the publisher The name usually tells you everything. CCleaner would never have an app listed as developed by someone who is not CCleaner.
Check app permissions Another important step is to carefully check the permissions an app is requesting. If an app requests permissions that don't make sense and don't seem necessary for the app to function properly, users should think twice before downloading it.
Check the category See if the app is in an appropriate category. If not, that could be a red flag.
Check the description Do the performance and promises seem over-the-top? If they overpromise, be wary.
Uninstall apps immediately when any abnormal behaviors observed
Avast has contacted the Baidu app store to get this fake app removed.
We have found 2 more China app stores that have published this fake app. One is hosted by Tencent (应用宝) and the other is hosted by 360 (360手机助手).
The bad actor used different combinations of app icons and app names to make users believe that these are the official CCleaner app, especially for users in mainland China who are not familiar with the genuine CCleaner app.
The Tencent app store (应用宝)
The 360 app store (360手机助手)
New indicators of compromise
In the Tencent app store (应用宝), there is a publisher named 河北三特网络科技有限公司. There is no further information about this company, but users can see this as a new IoC (Indicators of Compromise) when downloading apps.
We are contacting these 2 app stores to get these fake apps removed.