A new batch of thirty-five malware Android apps that display unwanted ads has been found in the Google Play Store, with the apps installed more than 2 million times on victims’ mobile devices.
The apps were found by security researchers at Bitdefender, who used a real-time, behavior-based analysis method to discover the potentially malicious applications.
According to standard tactics, the apps trick users into installing them by pretending to offer some specialized functionality, but change their name and icon immediately after installation, making them difficult to find and remove.
From then on, the malicious apps start to deliver intrusive advertisements to the users by abusing WebView, thereby generating fraudulent impressions and ad revenue for their operators.
In addition, since these apps use their own framework to load the ads, it is likely possible to drop additional payloads on a compromised device.
Hide Methods
As Bitdefender explains in the report, the adware apps implement multiple methods to hide on Android and even receive subsequent updates to make it easier to hide on devices.
Once installed, the apps usually take on a gear icon and rename themselves as “Settings” to evade detection and removal.
If the user clicks on the icon, the app will launch the malware app with a size 0 to hide from view. The malware then launches the legitimate Settings menu to trick users into thinking they have launched the correct app.
In some cases, the apps take on the appearance of system apps from Motorola, Oppo or Samsung.
The malicious apps also include heavy code obfuscation and encryption to thwart reverse engineering efforts, hiding the main Java payload in two encrypted DEX files.
Another method that allows the apps to hide from the user is to exclude themselves from the “Recent apps” list, so even if they run in the background, they won’t be revealed by exposing running processes.
Popular apps that show ads
The 35 malicious Android applications have download counts ranging from 10,000 to 100,000, totaling more than two million downloads.
The most popular of these, with 100,000 downloads each, are the following:
- Walls light – Wallpapers Pack (en.packlivewalls.fournatewren)
- Big Emoji – Keyboard 5.0 (gb.blindthirty.funkeyfour)
- Large Wallpapers – 3D Wallpapers 2.0 (gb.convenientsoftfiftyreal.threeborder)
- Motorcycle Wallpapers (gb.helectronsoftforty.comlivefour)
- Stock Wallpapers (en.fiftysubstantiated.wallsfour)
- EffectMania – Photo Editor 2.0 (en.actualfifty.sevenelegantvideo)
- Art Filter – Deep Photo Effect 2.0 (gb.crediblefifty.editconvincingeight)
- Fast Emoji Keyboard APK (de.eightylamocenko.editioneights)
- Create Sticker for WhatsApp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix)
- Math Solver – Camera Helper 2.0 (gb.labcamerathirty.mathcamera)
- Photopix Effects – Art Filter 2.0 (gb.mega.sixtyeffectcameravideo)
- Led Theme – Colorful Keyboard 2.0 (gb.theme.twentythreetheme)
- Animated Sticker Master 1.0 (am.asm.master)
- Sleep Sounds 1.0 (com.voice.sleep.sounds)
- Charging Personality Show 1.0 (com.charging.show)
- Image Warp Camera
- GPS location finder (smart.ggps.lockakt)
Of the above, ‘Walls light – Wallpapers Pack’, ‘Animated Sticker Master’ and ‘GPS Location Finder’ are still available in the Play Store at the time of writing this article.
Bleeping Computer has reached out to Google about this and we will update this post as soon as we receive a response.
The rest of the apps listed are available in multiple third-party app stores such as APKSOS, APKAIO, APKCombo, APKPure, and APKsfull, but the download numbers presented are of their time on the Play Store.
That being said, if you have installed any of these apps in the past, you should immediately track them down and remove them from your device.
In this case, since the apps pretend to be Settings, it might be helpful to use a mobile AV tool to locate and uninstall them.
#Android #malware #apps #million #installs #Google #Play