The Latest in IT Security

Fake Windows Media Player uses a variety of ad services to milk Android users – The G Data SecurityLabs discovered a new set of cheating apps with tricky ad strategies in Google Play, as a successor of the fake VLC player app


The original Windows Media Player is one of the most popular media applications worldwide. It runs on Windows computers, Windows phones and, as a plug-in, under Mac OS X. Unfortunately, the Android platform is not yet supported and this is the point of attack used by intruders. They publish an app, which disguises as Windows Media Player, and hope for many downloads. Their goal: Generating money through various ad implementations.
G Data products detect the analyzed apps as Android.Adware.Copycat.A

What are those mentioned ad strategies?

Strategy 1: Selling ads via audio!
The app requests the permission to “intercept outgoing calls” to exchange the normal dial tone a user would hear with audio advertisements! The coder included a code package leading to a company providing this audio based mobile ad network.During our tests, these advertisements did not stop immediately when the called person attends the call – the sound just plays on and this is quite disturbing.

Strategy 2: Call-to-action after the call
With the help of the aforementioned code package, there is a possibility to initiate an ad-screen after the user has ended the call.

Strategy 3: Showing ads in the notification bar
In the notification bar, the developer integrates further advertisements.

Strategy 4: Showing regular ads
The apps can show regular banners ads within the apps. This is, at the moment, the most common way to monetize an app.

Strategy 5: Showing the other apps of the set on an app wall
Within the software, the developers integrated a “More cool apps” button which is visible after a click on the menu button. A click leads the mobile device to a so-called app wall with the other apps of this particular set we are discussing.

Strategy 6: Showing new icons on home screen
The app installs new icons on the mobile device’s home screen. A click leads to a list of apps the user can install. In most of the cases, the provider of this list gets paid per install (PPI).

Most of the strategies don’t need the app running in the foreground; the app only needs to be installed on the device to get ads triggered. The app downloads JSON objects from a server which include details about the contents the app is supposed to implement. For example: Which icons should appear on the home screen, etc.

About the set of apps:
The set of apps has been published during the last few days and the fake Windows Media Player alone has reached over 10,000 downloads from Google Play since then.
It can actually play media files, because the original source code was copied from a real and legitimate open source media app: called Dolphin Player, coded by Broov. The copied implementation in the fake app reacted quite buggy. It randomly stopped working in our tests after we “tabbed out” of the software. But, even though there are problems, directly after the initial start, they ask the user to rate the app 5 star in case they like it. to lure more victims with those good ratings:
Screenshot of the developers asking for a good rating, directly after the initial app start

The other apps of this set were also copied from open source apps, but they at least have/had references to their sources within the Google Play overview.

Why is the software rated as Adware?
The software does not harm the user directly in the sense of generating high costs on the phone bill, stealing personal information or similar. But, the applications are fake, because the offered apps are copies of legitimate software, even boosted with misleading names and logos (e.g. Windows Media Player). Furthermore, some users report performance problems, as we have experienced them as well; most probably because of defects due the code copying. Calls made from devices infected with these apps were disrupted by the aggressive ads and the home screen was filled up with shortcuts to online marketing sites.
Taken everything into consideration, the only use of these apps is the money flush for the developer.


By the time of writing this article, Google has pulled the fake Windows Media Player, the fake Media Player Classic and the fake N64 Emulator from Play. We suspect that this happened due to the fact that the developer used copyrighted names for his apps! We can only speculate if the ad-flood also influenced the Play ban. However, the other two apps currently remain in Google Play.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments