Android Malware Changes Own Icon to System Apps

John Lister's picture

Malware creators are using new tactics to avoid their malicious Android apps being exposed. The scam involves hiding and even disguising apps as legitimate ones once they've been installed.

Fake Apps Receive Fake Praise

It's a twist on a well-established scam in which malware is distributed through apps that appear to perform a basic function such as reading QR codes, or turning the camera flash into a flashlight.

Thanks to a host of bogus rave-reviews in the Google Play store, the only way to spot something is amiss is that the apps will ask for specific access permissions that are clearly not relevant to the advertised functions.

The most common purpose of the rogue apps is to use the hijacked phone to fraudulently (and secretly) visit websites in the background in order to make bogus views and clicks on advertisements on websites that are owned by scammers. This will is referred to as click fraud and will net the scammer big bucks in a short amount of time, considering some apps are downloaded hundreds of thousands of times.

It's bad news for phone users as the background activity can be so relentless it can drain battery, slow a phone down, eat up mobile data allowances and overheat the handset.

Apps Use Bogus Icons

Security company Sophos says it's spotted 15 apps on Google Play which use this technique, but have added one or both of a couple of new tricks.

The first is to set the app to hide its icon from the app drawer, which is the screen that shows all apps installed on a phone, displayed as a set of icons. (Source:

The other trick is to replace the original app icon with something that looks legitimate and even essential. Examples include "Update" and, particularly cheekily, "Google Play Store."

In both cases, the idea is to hope users forget they've installed the app, reducing the chances they'll remove it during a routine clean-up or after the app is exposed as rogue.

The original names of the 15 apps exposed by Sophos are:

  • Auto Cut Out
  • Auto Cut Out 2019
  • Auto Cut Out Pro
  • Background Cut Out
  • Background Cut Out New
  • Find Your Phone: Whistle
  • Flash On Calls & Messages
  • Generate Elves
  • ImageProcessing
  • Imagine Magic
  • Photo Background
  • QR Artifact
  • Read QR Code
  • Savexpense
  • Scavenger - speed guard

How To Spot Fake 'System Apps'

Sophos notes that the easiest way to check if any of these apps are on a phone and have disguised themselves is to open the Settings Menu (by sliding it down from the top of the phone) and then go to the "Apps & Notifications" option. This will show recently opened apps, with an option to see the full list.

If this option isn't available you can go to Settings -> Apps to see the list of installed apps, but they won't be listed chronologically.

The disguised apps will have generic names and have the Android system app icon. On recent editions of Android, this icon is the top half of a "robot head" on a green background with a white grid.

Tapping on the app's name will open a screen with more info. A legitimate Android system app will have the options of "Disable" and "Force Stop." An app installed by the user, such as the scam ones, will instead have the options of "Uninstall" and "Force Stop."

Clicking "Force Stop", then "Uninstall" (if the option is available) is the best option to stop and uninstall any app. Even apps that can't be uninstalled can be Force Stopped and will remain that way until they are run again by the user. (Source:

What's Your Opinion?

Do you know what apps are on your phone? Do you regularly check to see if anything is amiss? Could Google do more to warn users about suspicious apps?

Rate this article: 
Average: 4.9 (9 votes)