A new study by BitDefender has shown that over 60,000 malicious Android apps have been targeting global users worldwide for more than six months, with adware disguised as fake security software, game cracks, cheats, VPN software, the Netflix streaming app, and utility apps on third-party sites. It is believed that the malicious campaign mainly targets US Android users, and began in October of last year. Bitdefender revealed in a blog post this week that while the campaign predominantly aims to push adware to Androids to drive revenue for malicious actors, they “can easily switch tactics to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information or ransomware.”
The researchers discovered 60,000 different apps carrying the adware, according to the post. Moreover, the researchers expect there currently are more apps distributing the same malware in the wild, they said. The distribution of the malicious apps is notable in that it appears automated and “organic.” The malware appears when users search for the types of apps behind which it was hiding — a current trend in the distribution of malicious apps, the researchers said. Usually, the victims are looking for unlocked versions of paid apps, according to the research.
Since API 30, Google has removed the ability to hide the app icon on Android once a launcher is registered, the researchers explained. However, this only applies if a developer of the app registers a launcher in the first place, they said. To circumvent this, the malicious apps in the campaign do not register any launchers and rely solely on the user and the default Android install behavior to run for the first time, the researchers explained.
When installing a downloaded application, the last screen in the procedure will be an “Open” app; in the case of the malware, this is all it needs to ensure that it will not be removed, the researchers said. On this screen, the app shows an “application is unavailable” message to trick the user into thinking it was never installed, according to the researchers. This then sets off a unique detection tactic, they explained in the post. The app at this point is not installed and “sleeps for two hours before registering two ‘intents’ that cause the app to launch when the device is booted or unlocked,” the researchers wrote in the post. The latter intent also is disabled for the first two days, a further anti-detection tactic, they said.
“Then, every two hours after that, the alarm is triggered, a request to the server is made, and another alarm is registered,” the researchers wrote. “The server can choose to initialize the adware phase at an unknown time interval.” Upon launch, the app reaches out to the attackers’ servers and retrieves ad URLs to be displayed in the mobile browser or as a full-screen WebView ad. At this point, attackers also can make the aforementioned pivot to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information, or ransomware, the researchers added.
The existence of the campaign demonstrates that despite the myriad steps taken to thwart mobile and Android malware in particular, it remains fairly easy for threat actors to continue to use Android as a platform for threat activity, notes one security expert. It also highlights the need for continued vigilance and even more robust security measures to protect users from such threats.
BitDefender included in its post a list of domains known to be distributing the campaign’s adware, some of which are not necessarily malware-related, the researchers said. They also posted a list of indicators of compromise to help users detect if they’ve been infected by the adware. As always, a good step for user protection is to avoid downloading apps from sources other than the official app stores.