Over 20 million devices have downloaded a new class of activity-tracking apps that have recently experienced enormous success on Google Play, the official app store for Android.  

The apps advertise themselves as fitness, pedometer, and habit-building tools, promising to award users randomly for maintaining an active lifestyle, achieving distance targets, etc.  

But, according to a study by the Dr. Web antivirus, the prizes could be difficult to redeem or are only partially made accessible after requiring users to watch a lot of advertising.  

According to Dr. Web’s report, these are three noteworthy examples:  

  • Lucky Step – Walking Tracker – 10 million downloads  
  • WalkingJoy – 5 million downloads  
  • Lucky Habit: health tracker – 5 million downloads 
google play store

According to Dr. Web, all three apps communicate using the same remote server address, pointing to a single operator/developer. All three are still available on Google Play as of this writing.  

According to the antivirus company, the apps only permit withdrawals once users have racked up a sizable number of points. Even then, they guarantee that consumers will unlock “profits” after watching a dozen promotional videos.  

The apps purportedly push even more advertising following a round of seeing them to “speed up” the withdrawal.  

Along with these warning indicators, Dr. Web notes that an earlier version of “Lucky Step – Walking Tracker” allowed users to turn in-app awards into gift cards that could be used to buy products in actual online stores.  

The Features

However, this feature has been deleted from the settings in more current iterations of the app, making it unclear what the prizes can now be converted to.  

According to reviews submitted by customers on Google Play, “Lucky Step – Waling Tracker” behaves like adware, loading full-screen advertisements upon screen unlock and even replacing open windows. 

google play store reviews

‘Wonder Time,’ a rewards app with 500,000 downloads, is another illustration of a comparable product that is still accessible on Google Play.  

The programme claims that users will receive real money for various tasks like downloading and installing extra software and games.  

However, the tokens users earn for each action pale compared to the developer’s minimal earnings withdrawal barrier. 

google play store app
Wondertime app on Google Play

Phishing games 

In the same research, Dr. Web warned about the over 450,000 downloads of phishing apps on Google Play that were passed off as investment apps and games. 

The app’s launch by connecting to a remote server, where they receive a configuration that tells them what to do. The instructions typically involve opening phishing pages that ask visitors to provide sensitive information. 

The malicious game apps observed by Dr. Web are the following: 

  • Golden Hunt – 100,000 downloads 
  • Reflector – 100,000 downloads 
  • Seven Golden Wolf blackjack – 100,000 downloads (still on Google Play) 
  • Unlimited Score – 50,000 downloads 
  • Big Decisions – 50,000 downloads 
  • Jewel Sea – 10,000 downloads 
  • Lux Fruits Game – 10,000 downloads 
  • Lucky Clover – 10,000 downloads 
  • King Blitz – 5,000 downloads 
  • Lucky Hammer – 1,000 downloads 

If any of the aforementioned phishing apps are already installed on your Android phone, you should uninstall them right once. After that, conduct an antivirus scan to find and get rid of any leftovers. 

Google has been questioned regarding the security of the apps that are still available on the Play Store by BleepingComputer. We will update this page as soon as we hear back from Google.