A new category of activity tracking apps has recently seen huge success on Google Play, Android’s official app store, having been downloaded on over 20 million devices.

The apps bill themselves as health, pedometer, and fitness apps, promising to give users random rewards for staying active in their daily lives, meeting distance goals, and more.

According to a report from the Dr. Web antivirushowever, rewards may be uncashable or only partially available after forcing users to watch a large number of advertisements.

Three notable examples listed in the Dr. Web report are:

• Lucky Step – Walk Tracker – 10 million downloads
• WalkJoy – 5 million downloads
• Lucky Habit: Health Tracker – 5 million downloads

Dr. Web indicates that the three applications communicate with the same remote server address, indicating a common operator/developer. At the time of writing, all three remain available on Google Play.

The antivirus company claims that the apps do not allow withdrawals until users have accrued a significant amount of rewards. Even then, they promise to unlock “earnings” after users sit down and watch a dozen ad videos.

Even after watching a series of ads, the apps push even more ads supposedly to “speed up” the withdrawal process.

In addition to these signs, Dr. Web reports that an earlier version of “Lucky Step – Walking Tracker” offered the ability to convert in-app rewards into gift cards that users could use to purchase goods in various locations. real online stores.

In recent versions of the app, however, this feature has been removed from the options, so it’s no longer clear what the rewards can be converted into.

Some Google Play users have left reviews stating that “Lucky Step – Waling Tracker” acts like adware, loading full-screen ads when unlocking the screen, even replacing active windows.

Another example of a similar app which is still available on Google Play is “Wonder Time”, a rewards app which has amassed 500,000 downloads.

The app promises to reward real money for completing various tasks like installing additional apps and games.

However, the tokens that users receive for each action are tiny compared to the minimum earnings withdrawal threshold set by the developer.

Phishing Games

In the same report, Dr. Web warned that phishing apps disguised as investment apps and games were found on Google Play, measuring over 450,000 downloads.

Applications connect to a remote server on launch and receive a configuration telling them what to do. Typically, the instructions involve loading phishing pages that ask users to enter sensitive details.

The malicious gaming applications observed by Dr. Web are as follows:

• gold hunt – 100,000 downloads
• Reflector – 100,000 downloads
• Blackjack Seven Golden Wolf – 100,000 downloads (still on Google Play)
• Unlimited scoring – 50,000 downloads
• big decisions – 50,000 downloads
• Jewel Sea – 10,000 downloads
• Lux Fruit Game – 10,000 downloads
• lucky clover – 10,000 downloads
• King Blitz – 5,000 downloads
• lucky hammer – 1,000 downloads

If any of the above phishing apps are installed on your Android device, you should uninstall it immediately and then run a virus scan to locate and remove any residue.

BleepingComputer has reached out to Google with questions about the security of apps that are still on the Play Store, and we’ll update this post as soon as we receive a response.