Threat Research

Fake mobile CCleaner app sneaked into the China Baidu app store

Jen-Yu (Bill) Tsai, 4 March 2019

Fake CCleaner app loaded with adware

Recently, Avast has discovered that a new fake mobile CCleaner app has been published in the China Baidu App Store (百度手机助手) and it’s specified as Certified Official Version (官方版).

This caught our eye because Avast hasn’t published any official versions of the CCleaner app in the Baidu App Store -- and the story begins.

The Baidu App Store

You can clearly see how this fake CCleaner app is being described on the web page and trying to trick users into downloading it.  It is being presented as the Certified Official Version (官方版). It also has a Chinese title which makes it appear to be official in the Baidu App Store.  One noticeable flaw, however, is in how they incorrectly categorized it under “办公学习 (office learning utilities).”  Another red flag is that it is receiving bad scores whereas, in other app stores around the world, CCleaner has top scores.

1-fake-app-in-baidu

Fake app in Baidu App Store

Analyzing the fake app with apklab.io

With Avast’s latest mobile threat intelligence platform, apklab.io, researchers can easily see the difference between this fake app and the genuine CCleaner app without trying to reverse engineer the app.

Comparing basic app metadata

KFirst, you quickly notice two things:  1) the fake app is repackaged with a different app name (CCleaner垃圾清理) and a different package name (com.star.ccleaner) and 2) four extra activities and one extra service were introduced with the fake app.

2-manifest-fakeFake manifest (above)

3-manifest-genuine

Genuine manifest (above)

Additionally, the fake CCleaner app is signed by a leaked certificate as shown below.

4-fake-cert

You can also see that the file info presented by apklab.io shows different hashes and file sizes that the fake app has as compared to the genuine CCleaner app.

5-fake-file-info

6-genuine-file-info

The fake app has additional meta attached to AndroidManifest.xml as shown here:

7-additional-meta

What does the fake CCleaner app do?

The fake CCleaner app uses the good brand reputation of the genuine CCleaner app 4.11.1 and repackages it to include adware in order to aggressively monetize mainland China users.

Let’s go deeper

By using the Apklab.io static analysis tool, you can see other differences between the fake CCleaner app and the genuine CCleaner app. Researchers can easily jump to sections they are interested in.

First, here is the summary of additional packed libraries.

  • Umeng - China Mobile App Analytics Provider
  • Tencent Ad Platform - 腾讯广告
    • Package: com.qq.e
    • https://e.qq.com/ads/
  • Tencent Browsing Service - 腾讯浏览服务 (A WebView wrapper by Tencent )
  • U8SDK - China Gaming apps platform
  • com.pay.sdk - Unknown payment SDK
  • com.erong - Unknown payment SDK

Interesting sections analyzed by apklab.io

You can also see that there are many new sections in the fake CCleaner app which do not exist in the genuine CCleaner app.

8-executes-external-code

9-parsing-sms-list10-unique-device-id12-gets-the-phone-number13-installs-a-package
Followed by newly added repackaged implementations of libraries.

14-get-running-tasks15-running-tasks-top-priority16-running-app-processes17-loads-data-from-assets18-overlay-to-apps19-uses-encryption20-libraries

Additional strings introduced by packed libraries

21-additional-strings-122-additional-strings-2

Targeting the Chinese market

When running this fake app, it displays some ads in the beginning, but then it will freeze. So, users can run it, but it is not fully functional. It’s highly likely that this fake app can only be well executed on China-only devices and under the China network environment.

What should users do?

At the time of the writing of this article, we found Baidu is the only app store that published this fake mobile CCleaner app. We are not sure if this app will keep trying to publish in other stores or in other markets, but it is highly possible.

Even though we didn’t observe any root or ransomware behavior from this fake app, we strongly urge users to uninstall this fake app immediately.

And, although mainland China is not Google Play accessible, we believe some common rules can still be shared to prevent users from installing fake apps.

  • Check user reviews
    Users should always read both the positive and negative reviews of an app before downloading it. Even if an app has positive reviews, one can usually tell if these are fake or genuine; fishy positive reviews can be a sign that an app shouldn’t be trusted.

  • Check the name of the publisher
    The name usually tells you everything. CCleaner would never have an app listed as developed by someone who is not CCleaner.

  • Check app permissions
    Another important step is to carefully check the permissions an app is requesting. If an app requests permissions that don't make sense and don't seem necessary for the app to function properly, users should think twice before downloading it.

  • Check the category
    See if the app is in an appropriate category.  If not, that could be a red flag.

  • Check the description
    Do the performance and promises seem over-the-top? If they overpromise, be wary.

  • Uninstall apps immediately when any abnormal behaviors observed

Avast has contacted the Baidu app store to get this fake app removed.

Files analyzed

Fake

com.star.ccleaner

db60d8a67057a9ee760c556575dd38206f430f5bca758dacdd4edbac6abeb98a

Genuine

com.piriform.ccleaner

c7e92d7fa29ad8477dfed133b6e8d67233e575577673e6ce03ec5f3a8e24065a


Baidu app link: https://shouji.baidu.com/software/25583524.html

Follow up updates

We have found 2 more China app stores that have published this fake app. One is hosted by Tencent (应用宝) and the other is hosted by 360 (360手机助手).

The bad actor used different combinations of app icons and app names to make users believe that these are the official CCleaner app, especially for users in mainland China who are not familiar with the genuine CCleaner app.

23-tencent-app-storeThe Tencent app store (应用宝)

24-360-app-store

The 360 app store  (360手机助手)

New indicators of compromise

In the Tencent app store (应用宝), there is a publisher named 河北三特网络科技有限公司. There is no further information about this company, but users can see this as a new IoC (Indicators of Compromise) when downloading apps.

We are contacting these 2 app stores to get these fake apps removed.

New links analyzed

Tencent: https://sj.qq.com/myapp/detail.htm?apkName=com.star.ccleaner

360: http://zhushou.360.cn/detail/index/soft_id/4027163?recrefer=SE_D_com.star.ccleaner