A new batch of thirty-five malware Android apps that display unwanted advertisements was found on the Google Play Store, with the apps installed over 2 million times on victims’ mobile devices.
The apps were found by security researchers at Bitdefender, who employed a real-time behavior-based analysis method to discover the potentially malicious applications.
Following standard tactics, the apps lure users into installing them by pretending to offer some specialized functionality but change their name and icon immediately after installation, making them difficult to find and uninstall.
From then on, the malicious apps begin to serve intrusive advertisements to the users by abusing WebView, generating fraudulent impressions and ad revenue for their operators.
Additionally, because these apps use their own framework to load the ads, it would likely be possible to drop additional payloads on a compromised device.
As Bitdefender explains in the report, the adware apps implement multiple methods to hide on Android and even receive later updates to make it easier to hide on devices.
After installation, the apps typically assume a cog icon and rename themselves as ‘Settings,’ to evade detection and deletion.
If the user clicks on the icon, the app launches the malware app with a 0 size to hide from view. The malware then launches the legitimate Settings menu to trick users into thinking they launched the correct app.
In some cases, the apps assume the appearance of Motorola, Oppo, or Samsung system apps.
The malicious apps also feature heavy code obfuscation and encryption to thwart reverse engineering efforts, hiding the main Java payload inside two encrypted DEX files.
Another method for the apps to hide from the user is to exclude themselves from the ‘Recent apps’ list, so even if they run in the background, exposing active processes won’t reveal them.
Popular apps serving ads
The 35 malicious Android applications have download counts ranging from 10,000 to 100,000, totaling over two million downloads.
The most popular of these, having 100k downloads each, are the following:
- Walls light – Wallpapers Pack (gb.packlivewalls.fournatewren)
- Big Emoji – Keyboard 5.0 (gb.blindthirty.funkeyfour)
- Grand Wallpapers – 3D Backdrops 2.0 (gb.convenientsoftfiftyreal.threeborder)
- Engine Wallpapers (gb.helectronsoftforty.comlivefour)
- Stock Wallpapers (gb.fiftysubstantiated.wallsfour)
- EffectMania – Photo Editor 2.0 (gb.actualfifty.sevenelegantvideo)
- Art Filter – Deep Photoeffect 2.0 (gb.crediblefifty.editconvincingeight)
- Fast Emoji Keyboard APK (de.eightylamocenko.editioneights)
- Create Sticker for Whatsapp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix)
- Math Solver – Camera Helper 2.0 (gb.labcamerathirty.mathcamera)
- Photopix Effects – Art Filter 2.0 (gb.mega.sixtyeffectcameravideo)
- Led Theme – Colorful Keyboard 2.0 (gb.theme.twentythreetheme)
- Animated Sticker Master 1.0 (am.asm.master)
- Sleep Sounds 1.0 (com.voice.sleep.sounds)
- Personality Charging Show 1.0 (com.charging.show)
- Image Warp Camera
- GPS Location Finder (smart.ggps.lockakt)
Of the above, ‘Walls light – Wallpapers Pack’, ‘Animated Sticker Master’, and ‘GPS Location Finder’ are still available on the Play Store when writing this article.
Bleeping Computer has contacted Google on the matter, and we will update this post as soon as we receive a response.
The rest of the listed apps are available on multiple third-party app stores like APKSOS, APKAIO, APKCombo, APKPure, and APKsfull, but the presented download counts are from their time on the Play Store.
That said, if you have installed any of these apps in the past, you should locate and remove them from your device immediately.
Because the apps masquerade themselves as Settings, running a mobile AV tool to locate and remove them might be helpful in this case.
Update 8/27/22: A Google spokesperson has confirmed that the apps mention in this post have been removed from the Play Store.