How FalseGuide Infected 2 Million Android Devices

When downloading apps for Android, it’s common sense to only use the Google Play app. After all, who knows what kind of malware is bundled within apps downloaded from random websites? As such, Google Play has been the go-to place for safe and dependable app downloads. Unfortunately, while it’s the best place to get apps, it’s definitely not foolproof!

Recently it was discovered that a strand of Android malware, called FalseGuide, managed to infect up to 2 million Android phones. How did it do this, and what does it mean for apps as a whole?

The Method


The name “FalseGuide” gives away how the app was distributed. They capitalized on game guide apps, a popular subset of apps on the Android store. Gamers are always looking for guides for games they play, either because it’s difficult or has hidden mechanics. While looking up guides online is no new innovation, apps have brought them into a new interactive format. This means gamers around the world are visiting Google Play for apps to help them beat the games they’re playing.

Malware developers smuggled in FalseGuide by masquerading it as a game guide. These malicious guides were written for popular entries, such as Terraria and World of Tanks, to ensure maximum distribution. Once uploaded, they simply had to wait for people to download the guides by the thousands. The first signs that something was amiss in the world of game guides appeared on April 24th 2017, but the oldest app found with the malware installed was uploaded to Google Play on February 14th 2017. This means the malware had a couple of months of free time to circulate amongst devices.

As far as actually distributing the malware, getting onto Google Play made it incredibly easy for the malware distributors. By smuggling the malware within guides for popular games, people assumed that because it was on Google Play it was 100% safe to download. Under the false assumption that the Play store was infallible, people downloaded the apps without a second thought, infecting their own devices with FalseGuide. Through this, FalseGuide managed to land on 2 million devices in the space of 2 months.

The full list of discovered apps with the malware can be found near the bottom of the official Check Point article.

What Does FalseGuide Do?

Every piece of malware has a purpose. From stealing information to simply doing damage, every malicious attack has a motive behind it. What is FalseGuide’s goal now that it has 2 million devices in its grip?

The objectives of FalseGuide are as follows:

  1. The user finds and initiates the download of an infected game guide on their phone. The app asks for “device admin” install permissions so it can carry out its duties. The user accepts this and installs the app.
  2. FalseGuide, now with device admin permissions, sets itself up so it can’t be erased by the user.
  3. FalseGuide then signs itself up to a service called “Firebase Cloud Messaging” without the user’s knowledge. This is a service that allows app developers to send messages and notifications to their apps and was developed with innocent intent. FalseGuide locates and subscribes to a topic sharing the same name as the app it was delivered in, then waits for further instructions.
  4. Through the Firebase topic FalseGuide can then receive messages from the malware developers to install and run malicious commands.

The result is an undeletable piece of malware that listens to and executes commands given to it by its distributor. These commands can range from installing adware on phones to initiating DDoS attacks on victim servers. In short, FalseGuide gives the malware distributor free rein to do as it pleases with a user’s device.

How Did It Get Accepted?


The problem with apps such as FalseGuide is that they’re disguised as innocent apps, which then become malicious after they’ve been installed. This is done by ensuring the base app contains zero malicious code. It means the “carrier app” will pass the Google Play screening with no malware detected.

Only after it’s installed on a device for a long time will it receive instructions through Firebase. These instructions then give the app the malicious code the malware requires in order to operate. This allows botnets like FalseGuide to establish themselves on Google Play while sliding under the strict anti-malware detection.

Moving Forward

In the wake of a botnet being set up under Google’s nose, what can we, as the users, do to avoid these attacks?

First, if you suspect your phone was hit with FalseGuide, make sure to download and run a trusted antivirus solution for Android. If you’re unsure of what’s safe and what’s not, we ran a list of recommended antivirus apps for you to try.


Regardless of whether or not you were infected, this story is a reminder to be cautious with your Android device. While Google Play is the safest place to download apps from, it’s definitely not perfect! Always read the “Device Permissions” popup and ensure the app isn’t asking to go places where it shouldn’t. If a simple app starts asking for permissions to vital areas of your phone, do not install it.

Misguided Users

With over 2 million devices infected, FalseGuide is a cautionary tale about how not to assume that apps are 100% safe purely because they’re on an official app store. Now you know how FalseGuide works, how it managed to spread, and how to avoid a similar attack in the future.

Have you ever been infected by an app from an official app store? Tell us your stories in the comments!

Simon Batt
Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox