60K+ Android Apps Have Delivered Adware Undetected for Months

  /     /     /  
Publicated : 23/11/2024   Category : security

60K+ Android Apps Have Delivered Adware Undetected for Months


A campaign targeting mainly US users disguised malware in fake security software, game cracks, cheats, free Netflix, and other modded apps.


More than 60,000 malicious
Android apps
targeted global users worldwide for more than six months with adware disguised as fake security software, game cracks, cheats, VPN software, the Netflix streaming app, and utility apps on third-party sites, researchers have found.
BitDefender researchers discovered the malicious campaign, which they said mainly targets US 
Android users
and which they believe began in October of last year.
Bitdefender revealed in a post
published this week that while the campaign predominantly aims to push adware to Androids to drive revenue for malicious actors, they can easily switch tactics to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information or ransomware.
The researchers discovered 60,000 different apps carrying the adware, according to the post. Moreover, the researchers expect there currently are more apps distributing the same malware in the wild, they said.
The distribution of the malicious apps is notable in that it appears automated and organic. The malware appears when users search for the types of apps behind which it was hiding — a current trend in the distribution of malicious apps, the researchers said. Usually, the victims are looking for unlocked versions of paid apps, according to the research.
In fact, modded apps are a hot commodity, with websites dedicated entirely to offering these types of packages, the researchers explained in the post. Usually, modded apps are modified original applications with their full functionality unlocked or featuring changes to the initial programming.
When users open a website from a Google search of a modded app, they then would be redirected to a random ad page that often is a download page for malware disguised as a legitimate download, the researchers said.
Since API 30, Google has removed the ability to hide the app icon on Android once a launcher is registered, the researchers explained. However, this only applies if a developer of the app registers a launcher in the first place, they said.
To circumvent this, the malicious apps in the campaign do not register any launchers and rely solely on the user and the default Android install behavior to run for the first time, the researchers explained. When installing a downloaded application, the last screen in the procedure will be an Open app; in the case of the malware, this is all it needs to ensure that it will not be removed, the researchers said. On this screen, the app shows an application is unavailable message to trick the user into thinking it was never installed, according to the researchers.
This then sets off a unique detection tactic, they explained in the post. The app at this point is not installed and sleeps for two hours before registering two intents that cause the app to launch when the device is booted or unlocked, the researchers wrote in the post. The latter intent also is disabled for the first two days, a further anti-detection tactic, they said.
Then, every two hours after that, the alarm is triggered, a request to the server is made, and another alarm is registered, the researchers wrote. The server can choose to initialize the adware phase at an unknown time interval.
Upon launch, the app reaches out to the attackers servers and retrieves ad URLs to be displayed in the mobile browser or as a full-screen WebView ad. At this point, attackers also can make the aforementioned pivot to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information, or ransomware, the researchers added.
The existence of the campaign demonstrates that despite the myriad steps taken to thwart mobile and
Android malware
in particular, it remains fairly easy for threat actors to continue to use Android as a platform for threat activity, notes one security expert.
It also highlights the need for continued vigilance and even more robust security measures — such as app attestation, which requires app developers to provide answers to common security and compliance questions that are then published with the app — to protect users from such threats, says Ted Miracco, CEO of mobile security firm
Approov
.
Moreover, the campaign serves as a reminder for users to exercise caution when downloading and installing applications, particularly from unofficial sources, he says.
BitDefender included in its post a list of domains known to be distributing the campaigns adware, some of which are not necessarily malware-related, the researchers said. They also posted a list of indicators of compromise to help users detect if theyve been infected by the adware.
As always, a good step for user protection is to avoid downloading apps from sources other than the official app stores.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
60K+ Android Apps Have Delivered Adware Undetected for Months