FalseGuide is an Android malware that was found in 40 apps available on the Google Play Store, the oldest of which was uploaded on February 14, 2017. The malware was hidden in "game guide" apps for popular gaming apps, with installs of over two million. The attackers's main purpose is to add the infected devices as a bots in their silent botnet, used for adware.

After an infected application is installed, the malware requests "Device Admin" permission that creates a separate admin account for the app that prevents it from being easily deleted by the user. The app then connects to a Firebase Cloud Messaging thread, used to send additional modules to infected devices that can root the user's device, launch a DDoS attack, attempt to access private networks, or display ads to infected hosts. Thus far, the malware has only been used to display ads.


  • April 2017: FalseGuide malware dupes 600,000 Android users into joining botnet (ZDNet)

Technical Details

  • Check Point researchers provide technical analysis here.
  • BleepingComputer provides additional analysis here.