Dozens of Apps on Microsoft Store Displaying Adult, Gambling Content
Symantec found 81 deceptive PUAs displaying pornographic and gambling content.
On March 14, we discovered 81 potentially unwanted applications (PUAs) on the Microsoft Store, some of which display pornographic images and gambling content. While some have been removed, most of these apps are still available to download from the app store.
The apps cover a range of different categories such as sports, games, news, tips, etc. They appear to be published by more than 30 different developers. A full list of the 81 apps, as well as their store page links and author names, can be found in the table at the end of this blog.
Fake apps
To trick users, the apps use familiar names from some popular brands in their titles, such as Wix Updates Application, Antivirus Avira App, Norton Antivirus Updates App, McAfee Antivirus Updates News, Tinder Dating Updates, Tips and Games, and Grindr Updates.
However, these apps have nothing to do with the brands or their original apps. In fact, some of them display content such as pornographic images and advertisements for gambling websites. Other apps merely redirect users to the legitimate website of the brand they are claiming to be related to but they all have the ability to display whatever content they chose at a later date.
Questionable content
All these apps show their unsavory content at start time (see Figures 3 and 4 for examples).
At the same time, none of the apps state this behavior in the description section on the app store page. In fact, the apps all display innocuous screenshots provided by the developers, which are totally unrelated to the real functionality of the apps.
Shared server
We analyzed the samples and found that they all call http://myservicessapps[DOT]com/firebase/[PHP Name]?app=[APP ID] to get the configuration for the current application, where the app can parse the style and specified URL by the “red_ph” value in the configuration. For example, for the app Buy Bitcoin, the app will call http://myservicessapps[DOT]com/firebase/win_new_cl.php?app=2504-buy-bitcoin at app start time to retrieve the configuration, and the “red_ph” value directs the application to behave accordingly. This tactic allows the apps to display whatever content the developers choose, so even the apps that currently redirect to legitimate websites could display dodgy content at a later date.
Potential for more serious risks
Since the app is fully controlled by the server, it is possible for the developer to inject malicious code of their choosing. This could, for example, be coin-mining scripts, allowing the app developers to generate profit from users who have installed their apps. The developers can also display phishing websites in the apps. In fact, some of the apps already show suspicious phishing content that requests credit card information (Figure 7).
Similar file structure
We explored the application packages of all 81 apps and found that the content of each looks very similar (Figure 8). This, combined with the fact that they are sharing the same server, makes it highly likely that these applications are published by the same group of developers.
Microsoft was notified about our discovery and said it would investigate. Several of the apps are no longer available on the Microsoft Store.
Mitigation
Stay protected from malware and other risks by taking these precautions:
- Keep your software up to date
- Do not download apps from unfamiliar sites
- Only install apps from trusted sources
- Install a suitable security app, such as Norton or Symantec Endpoint Protection, to protect your device and data
- Make frequent backups of important data
In addition, the following tips can help you avoid downloading PUAs:
- Check the name of the app you’re thinking of downloading. If it’s a popular app, search online for it and make sure the name matches the results. Fake app authors will often add words to the legitimate app’s name, such as “Updates” which can be a clue something isn’t right.
- Check the app developer’s name, which can be found on the app’s store page. Do an internet search for the developer as there may be users who have had experience of their apps—good or bad.
- Check the app reviews. While fake reviews are common, they’re often short and generic. There may also be legitimate reviews from users who have figured out that the app isn’t what it appears to be.
- There may also be some visual clues that the app is not legitimate, such spelling mistakes or layouts and user interfaces that look unprofessional.
Protection
Symantec and Norton products detect the apps as the following:
List of apps
| App name | Store URL | Author |
|---|---|---|
| Roxy Palace | REMOVED FROM STORE | donaldgreenleaf1211 |
| DrueckGlueck | REMOVED FROM STORE | donaldgreenleaf1211 |
| Winline | https://www.microsoft.com/en-us/p/winline/9njnz0bcwz1r?activetab=pivot:overviewtab | DevelopersTeam 2019 |
| NordicBet | https://www.microsoft.com/en-us/p/nordicbet/9p6d8n5l2nlg?activetab=pivot:overviewtab | DevelopersTeam 2019 |
| OLIMP APPLICATION | REMOVED FROM STORE | Aaron188271 |
| Regal Wins | REMOVED FROM STORE | Aaron188271 |
| Buy Bitcoin. | REMOVED FROM STORE | JohnJonesapp1112 |
| Coinbase Updates | REMOVED FROM STORE | JohnJonesapp1112 |
| Ethereum | REMOVED FROM STORE | JohnJonesapp1112 |
| SportingBet App | https://www.microsoft.com/en-us/p/sportingbet-app/9nnwp163h6gd?activetab=pivot:overviewtab | ChrisTimothy188271 |
| Wix Updates Application | https://www.microsoft.com/en-us/p/wix-updates-application/9p4vrnzq3jkj?activetab=pivot:overviewtab | ChrisTimothy188271 |
| Antivirus Avira App | REMOVED FROM STORE | ChrisLewis19912 |
| Grand National Updates | REMOVED FROM STORE | MikeDsouzaApp |
| Slots. | https://www.microsoft.com/en-us/p/slots/9ntbcdg2mmvs?activetab=pivot:overviewtab | waltersteve1818 |
| OkCupid App | https://www.microsoft.com/en-us/p/okcupid-app/9nd0r35c20d2?activetab=pivot:overviewtab | waltersteve1818 |
| Sky Bet Updates Action | https://www.microsoft.com/en-us/p/sky-bet-updates-action/9pmlj9crkgq7?activetab=pivot:overviewtab | MaddocksSis |
| Norton Antivirus Updates App | REMOVED FROM STORE | Vladimir Develop |
| DafaBet App | REMOVED FROM STORE | Developer System 3D |
| Bets10 App | REMOVED FROM STORE | Developer System 3D |
| Foxy Bingo Games and News App | REMOVED FROM STORE | leonmat1818 |
| Moon Bingo App | REMOVED FROM STORE | leonmat1818 |
| Unique Casino | https://www.microsoft.com/en-us/p/unique-casino/9p153j64g29z?activetab=pivot:overviewtab | marky18281 |
| Betfred Sports | https://www.microsoft.com/en-us/p/betfred-sports/9p3mdm4rwmh7 | marky18281 |
| Betfred Updates | https://www.microsoft.com/en-us/p/betfred-updates/9nzjrz06q2lt?activetab=pivot:overviewtab | Kevilum |
| Bwin Scommesse | REMOVED FROM STORE | mitchelljordan999 |
| McAfee Antivirus Updates News | REMOVED FROM STORE | Williamswill1212 |
| Kraken. | REMOVED FROM STORE | jacobapps2017 |
| 888Poker Application | REMOVED FROM STORE | CharlesDavid91881 |
| Bet365 Updates App | REMOVED FROM STORE | CharlesDavid91881 |
| bet365 sports app | https://www.microsoft.com/en-us/p/bet365-sports-app/9mwrg4l37ktm?activetab=pivot:overviewtab | StephanAppsz |
| casino.com | https://www.microsoft.com/en-us/p/casinocom/9mwd36qr7gwg#activetab=pivot:overviewtab | StephanAppsz |
| Gala Bingo Application | https://www.microsoft.com/en-us/p/gala-bingo-application/9n0kwf10586v?activetab=pivot:overviewtab | NathanMachan |
| 888 Sport Application | https://www.microsoft.com/en-us/p/888-sport-application/9nvwcs4d6zql?activetab=pivot:overviewtab | Cityvesse |
| Poker-Stars | https://www.microsoft.com/en-us/p/poker-stars/9nz5bfk0nv1l?activetab=pivot:overviewtab | Cityvesse |
| Ratucasino88 Games and News | https://www.microsoft.com/en-us/p/ratucasino88-games-and-news/9nqzcb711xl9?activetab=pivot:overviewtab | TimothyJack6595 |
| Nossaaposta App | https://www.microsoft.com/en-us/p/nossaaposta-app/9pf3kpkqs4ts#activetab=pivot:overviewtab | TimothyJack6595 |
| Parx Casino | https://www.microsoft.com/en-us/p/parx-casino/9n6mfg0c2hmm?activetab=pivot:overviewtab | Alexand Develop |
| Fortuna Application | https://www.microsoft.com/en-us/p/fortuna-application/9nq79cghdnfd?activetab=pivot:overviewtab | AllenKevin19929 |
| Bet90 | https://www.microsoft.com/en-us/p/bet90/9nw8snjbq3q2#activetab=pivot:overviewtab | AllenKevin19929 |
| Allslots. | REMOVED FROM STORE | johnsonapps2014 |
| Bitstamp App | REMOVED FROM STORE | RonaldHuffapps |
| CoinMarketCap Application | REMOVED FROM STORE | RonaldHuffapps |
| AFF Dating Updates App | https://www.microsoft.com/en-us/p/aff-dating-updates-app/9pjbsm19rdt3#activetab=pivot:overviewtab | Dmimty Developer |
| YouWin App | https://www.microsoft.com/en-us/p/youwin-app/9ngpzh3rwrg4#activetab=pivot:overviewtab | Dmimty Developer |
| Boxing App | REMOVED FROM STORE | ClintSaunders88181 |
| Lottoland | https://www.microsoft.com/en-us/p/lottoland/9nz2s1kd3684?activetab=pivot:overviewtab | ArcadiyDevelop |
| Fafafa gold slots | https://www.microsoft.com/en-us/p/fafafa-gold-slots/9p1n9f1sbkbj?activetab=pivot:overviewtab | ArcadiyDevelop |
| ASHLEY MADISSON DATING UPDATES APP | https://www.microsoft.com/en-us/p/ashley-madisson-dating-updates-app/9mxz2846jdj4?activetab=pivot:overviewtab | New Nice Company Dev |
| Open365 | https://www.microsoft.com/en-us/p/open365/9ng9d3z8pm2p?activetab=pivot:overviewtab | New Nice Company Dev |
| Poker. | https://www.microsoft.com/en-us/p/poker/9nlql7f55fmg?activetab=pivot:overviewtab | HoangVanLoc |
| eSports Betting | https://www.microsoft.com/en-us/p/esport-betting/9pcmtm4d5q96?activetab=pivot:overviewtab | HoangVanLoc |
| Jackpotjoy | REMOVED FROM STORE | Anthonyturnerapps |
| Tinder Dating Updates, Tips and Games | https://www.microsoft.com/en-us/p/tinder-dating-updates-tips-and-games/9pcmssk14gtj?activetab=pivot:overviewtab | Vladimir Develop |
| Sportium | https://www.microsoft.com/en-us/p/sportium/9n4blvr6wb20?activetab=pivot:overviewtab | Dmitry Rey Dev |
| Casitabi カジ旅 | https://www.microsoft.com/en-us/p/casitabi-%E3%82%AB%E3%82%B8%E6%97%85/9pcxdv27chql?activetab=pivot:overviewtab | Dmitry Rey Dev |
| Tombola Bingo App | https://www.microsoft.com/en-us/p/tombola-bingo-app/9n6cwlppzcsl?activetab=pivot:overviewtab | EliotChica |
| Svenskaspel | https://www.microsoft.com/en-us/p/svenskaspel/9nmlf554ct4c?activetab=pivot:overviewtab | MarkLawles19920 |
| Betclick | https://www.microsoft.com/en-us/p/betclick/9pf48jvkfr3s?activetab=pivot:overviewtab | MarkLawles19920 |
| BetVictor Updates | https://www.microsoft.com/en-us/p/betvictor-updates/9nd7mt6t8jms?activetab=pivot:overviewtab | MinyanRyan |
| كازينو | https://www.microsoft.com/en-us/p/%D9%83%D8%A7%D8%B2%D9%8A%D9%86%D9%88/9mxr2phprtm3#activetab=pivot:overviewtab | MinyanRyan |
| Badoo News and Updates App | https://www.microsoft.com/en-us/p/badoo-news-and-updates-app/9nbl12vs4fdb?activetab=pivot:overviewtab | olivervapp |
| 1x Bet | https://www.microsoft.com/en-us/p/1x-bet/9nr43fdpqcdk#activetab=pivot:overviewtab | Benjamin19191 |
| Paddy Sports | https://www.microsoft.com/en-us/p/paddy-sports/9nz0gnw5nw5x?activetab=pivot:overviewtab | Benjamin19191 |
| Balkan Bet | REMOVED FROM STORE | Benji19919 |
| Betin Updates | https://www.microsoft.com/en-us/p/betin-updates/9njxh679bq3c?activetab=pivot:overviewtab | Torresakin |
| Unibet Games and News | https://www.microsoft.com/en-us/p/unibet-games-and-news/9pfv66vqc9f6?activetab=pivot:overviewtab | Torresakin |
| 10Bet | https://www.microsoft.com/en-us/p/10bet/9pm6qv486wpb?activetab=pivot:overviewtab | Podyanou |
| Global Poker | https://www.microsoft.com/en-us/p/global-poker/9n3zc1drslls?activetab=pivot:overviewtab | Timothy17726 |
| BLENDR HOOK UP DATING UPDATES | https://www.microsoft.com/en-us/p/blendr-hook-up-dating-updates/9p6lg1v0wthr?activetab=pivot:overviewtab | Timothy17726 |
| BETBOO | https://www.microsoft.com/en-us/p/betboo/9p6nbtj3wm7l?activetab=pivot:overviewtab | Dev Dmitry Games |
| Monopoly Casino | https://www.microsoft.com/en-us/p/monopoly-casino/9n9p2pl6r4m2?activetab=pivot:overviewtab | Dev Dmitry Games |
| William Hill Sports Bet | https://www.microsoft.com/en-us/p/william-hill-sports-bet/9nblggh5jqnk?activetab=pivot%3Aoverviewtab | Liamerlass |
| William Hill Sportbook. | REMOVED FROM STORE | Ez Developer Co |
| 22Bet | REMOVED FROM STORE | PeterChrisAppz |
| Grosvenor Casino App | REMOVED FROM STORE | JamesIssue |
| Huuuge Casino Games Updates | REMOVED FROM STORE | RossApps1991 |
| Grindr Updates | REMOVED FROM STORE | RossApps1991 |
| Huuuge Games Application | https://www.microsoft.com/en-us/p/huuuge-games-application/9nm2mvbjhv5k | NickNelson1199 |
| Winamax App | https://www.microsoft.com/en-us/p/winamax-app/9pl602zmzl44#activetab=pivot:overviewtab | Dev ACCS dEVELOPER |
| Casino Metropol Updates | https://www.microsoft.com/en-us/p/casino-metropol-updates/9ndr4g5z5rkj?activetab=pivot:overviewtab | Dev ACCS dEVELOPER |
| Norton Free Antivirus Updates Guide | REMOVED FROM STORE | TimothyJack18818 |
