Threat Research: FalseGuide

Share and earn Cybytes
Facebook Twitter LinkedIn Email

This Threat Research is about the recently (re)discovered “FalseGuide” threat found in Google Play.

FalseGuide is a form of malware that has been hidden in more than 40 game guide apps in Google Play since February 2017. According to reports, approximately 600,000 devices may have been infected before the known versions of the malware were removed from Google Play. Newly infected apps were found in April and subsequently removed again, setting a pattern for additional infections to be released and found in the future. FalseGuide creates a silent botnet out of the infected devices for adware purposes, and also could enable the attacker to root the device or conduct DDoS attacks.

Additional details of the threat, and how Zimperium zIPS protects devices against it, are included below.

Threat/Attack Description:

  • FalseGuide requests device admin permission on installation, thereby avoiding detection and deletion by the device owner.
  • The malware then registers itself to a Firebase Cloud Messaging topic which has the same name as the app.
  • Once subscribed to the topic, FalseGuide can receive messages containing links to additional modules and download them to the infected device.
  • FalseGuid then displays illegitimate pop-up ads using a background service that starts running once the device is booted.

zIPS Detection:

zIPS will detect and alert on all of these malicious apps with an option to delete/uninstall the apps immediately.

When an app is downloaded or installed, the zIPS on-device engine analyzes the code to determine if it contains anything malicious. As a secondary layer of defense, zIPS can also query our advanced cloud-based threat intelligence capabilities (e.g., the Zimperium Global Malware Database) for additional analysis.

Threat level: Low

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Zimperium
Zimperium, the industry leader in Mobile Threat Defense, offers real-time, on-device protection against both known and previously unknown threats, enabling detection and remediation of attacks on all three mobile threat vectors - Device, Network and Applications. Zimperium’s patented z9™ detection engine uses machine learning to power zIPS™, mobile on-device Intrusion Prevention System app, and zIAP™, an embedded, In-App Protection SDK that delivers self-protecting iOS and Android apps. Leaders across the mobile ecosystem partner with Zimperium, including mobile operators (Airtel, Deutsche Telekom, SmarTone, SoftBank and Telstra), device manufacturers (Samsung, SIRIN, TriGem), and leading enterprise mobility management (EMM) providers (AirWatch, MobileIron, BlackBerry, Citrix and SAP). Headquartered in San Francisco, Zimperium is backed by Sierra Ventures, Samsung, Telstra, Warburg Pincus and SoftBank. Learn more at or our official blog at

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?