Google Removes 85 Adware-Infected Android Apps
Google has removed 85 Android apps from the official Play Store after it was reported that these apps were adware-infected.
Google took the decision to suspend the apps after researchers at security firm Trend Micro discovered that these apps, which masqueraded as games and remote controller simulators, contained a common strain of adware. The researchers also reported that these apps were downloaded at least 9 million times.
A Trend Micro blog post, dated January 8, 2019, and authored by Mobile Threat Response Engineer Ecular Xu, says, “…we recently discovered an active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store”.
The blog post further says, “This adware is capable of displaying full-screen ads, hiding itself, monitoring a device’s screen unlocking functionality, and running in the mobile device’s background. The 85 fake apps, which have been downloaded a total of 9 million times around the world.”
Among the 85 adware-infected apps, the most downloaded one is the “Easy Universal TV Remote” app, which claims to allow the use of smartphones to control TVs. The researchers who detected the fake apps have found that “Easy Universal TV Remote” was downloaded more than 5 million times. Moreover, this fake app has also got multiple complaints being posted about its behaviors on the comment section.
The apps were reportedly uploaded from different developer accounts and were signed using different digital certificates, but they showed similar behaviors and shared the same code. The Trend Micro report explains, “We tested each of the fake apps related to the adware family and discovered that though they come from different makers and have different APK cert public keys, they exhibit similar behaviors and share the same code.”
ZDNet reports that the apps were visually identical as well. “But besides similarities in their source code, the apps were also visually identical, and were all of the same types, being either games or apps that let users stream videos or control their TVs remotely”, reads a report from ZDNet. The report further says, “The apps were blatant adware, and you didn’t need to be a security researcher to realize they were malicious.”
Once one of these fake apps is downloaded and launched, it would show a full-screen ad. If you close the pop-up ad, you’d get call-to-action buttons like “start,” “open app,” or “next”. A banner ad would also appear on the screen of the mobile phone. If you tap on any of these buttons, another full-screen ad would pop up, followed by more buttons providing app-related options. You’d also be prompted to give the app a five-star rating on Google Play. Clicking on any of the buttons would bring up another full-screen ad on the screen, following which you’d be informed that the app is loading or buffering. A few seconds later the app disappears from the screen and hides its icon on the device. The fake app continues to run in the background and the adware gets configured. Every 15 or 30 minutes you’d get to see a full-screen ad on your screen. The Trend Micro report says, “Some of the fake apps exhibit another type of ad-showing behavior that monitors user screen unlocking action and shows an ad each time the user unlocks the mobile device’s screen. A receiver module registers in AndroidManifest.xml so that each time a user unlocks the device it will then trigger a full-screen ad pop up.”
Those behind the attack could thus go on making money out of the ads until either you remove the app or reset your device to factory settings.
Google swiftly suspended the fake apps from the Play Store after verifying the report from the Trend Micro researchers.
Julia Sowells703 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.