Mobile threat researchers at Check Point have discovered a new strain of malware infecting millions of Android devices via Google Play. The researchers claim that the new botnet malware dubbed FalseGuide was hidden in over 40 guide apps for games in Google Play.
"Check Point notified Google about the malware, and it was swiftly removed from the app store," point out Oren Koriat, Andrey Polkovnichenko, and Bogdan Melnykov researchers in a blog post.
The researches add that the infected apps managed to cross 50,000 installs, and roughly infected up to 600,000 devices. Check Point, however, has since updated the blog post adding FalseGuide attack was far more extensive than originally understood. Five new infected apps were found in Google Play which were uploaded in as early as November 2016 suggesting that these managed to hide successfully for five months.
"The apps were uploaded to the app store as early as November 2016, meaning they hid successfully for five months, accumulating an astounding number of downloads. The updated estimate now includes nearly 2 million infected users," wrote the researchers.
The researchers also explain how the new FalseGuide malware functions as these create a "silent botnet" out of the infected devices for adware purposes.
For those unaware, a botnet is a group of devices controlled by hackers without the knowledge of their owners, and are used for various purposes "based on the distributed computing capabilities of all the devices."
Further detailing, researchers added, "FalseGuide requests an unusual permission on installation - device admin permission. The malware uses the admin permission to avoid being deleted by the user, an action which normally suggests a malicious intention. The malware then registers itself to a Firebase Cloud Messaging topic which has the same name as the app."
Once subscribed, FalseGuide"malware can help download additional modules on the infected device. "Depending on the attackers' objectives, these modules can contain highly malicious code intended to root the device, conduct a DDoS attack, or even penetrate private networks," concluded researchers.
According to researchers,"FalseGuide malware covers itself as guiding apps as it's easy to monetise on the success of the original gaming app and guiding apps require very little development and feature implementation. Check Point has listed all the games that carry the new FalseGuide malware.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.