The Infiltrators: How Over 60K Android Apps Have Delivered Adware Undetected for Months

Android Malware Campaign Targets 60,000 Apps with Adware that Displays Harmful Ads

Researchers from BitDefender have discovered a malicious campaign that attacked Android devices worldwide through adware disguised as fake security software, game cracks, cheats, VPN software, the Netflix streaming app, and utility apps on third-party sites, among others. The campaign was primarily targeted at US users and has been ongoing since October 2020. The researchers claim that malicious actors are mainly using the adware to generate revenue, but they can easily redirect users to more dangerous types of malware such as banking Trojans, ransomware, and credential-stealing Trojans. More than 60,000 different apps carrying the adware have been discovered by the researchers, and they expect that there are many more similar malware-infected apps in the wild.

The Organic Distribution of the Malware Is Notable

One of the notable characteristics of the malware distribution is that it appears automated and “organic”, according to the researchers. The malware is triggered when users worldwide search for specific apps on the internet. Typically, the victims are looking for unlocked versions of paid apps. Modded apps are in high demand, with entire websites dedicated to offering these types of packages. Once someone opens a website from a Google search of a modded app, they would be redirected to an ad page, which often is a download page for malware masked as a legitimate download.

How the Android Malware Works

Since API 30, Google removed the option to hide the app icon on Android once a launcher is registered. However, many of the malicious apps in the current campaign do not register any launchers and rely solely on the user to run for the first time. The researcher explains that when installing a downloaded application, the last screen in the procedure will be an “Open” app. In the case of the malware, this is all it needs to ensure that it will not be removed. On this screen, the app shows an “application is unavailable” message to trick the user into thinking it was never installed. This then sets off a unique detection tactic. The app immediately sleeps for two hours before registering two ‘intents’ that cause the app to launch when the device is booted or unlocked.

Pervasive Android Threat

The existence of the current campaign demonstrates that despite the numerous countermeasures against mobile threats and Android malware in particular, it remains relatively easy for hackers to use Android as a platform for threat activity. Ted Miracco, CEO of mobile security firm Approov, cites the need for the implementation of more robust security measures such as app attestation, which requires app developers to provide answers to common security and compliance questions that are then published with the app, to protect users from such threats. Meantime, users should be cautious when downloading and installing applications, especially from unofficial sources. To protect themselves better, users need to avoid downloading apps other than from official app stores.

Conclusion

As the world becomes more connected, everyone should be cautious about the cybersecurity risks involved. One should also take the extra effort to learn about the best way to avoid these kinds of threats and the appropriate steps to take if they end up infected with malicious software. The responsibility of cybersecurity lies both on the users and developers of applications and platforms. Developers should strive to develop more secure platforms while users should be cautious when downloading software. Taking these steps will significantly reduce the risk of malware infections and secure our digital lives.