A recent ad fraud campaign targeting the Google Play Store has resulted in more than 60 million downloads of malicious apps, as revealed by a new analysis conducted by Bitdefender. The campaign, which features 331 apps, is able to bypass Android security restrictions to carry out its nefarious activities.
According to Bitdefender researchers, the campaign either involves a single actor or multiple criminals utilizing the same packaging tool available on black markets online. The malicious apps, which include seemingly harmless utility apps like QR scanners, expense trackers, healthcare apps, and wallpapers, are able to remain hidden on devices and launch without any user interaction, behaviors that are not supposed to be possible in the latest version of Android.
Despite Google removing many of the apps associated with the campaign, some still remain active and have even received updates. This suggests that the attackers are actively modifying their malware to evade detection by security systems. Bitdefender has reported its findings to Google, which is currently investigating the issue.
The apps involved in the campaign use various techniques to stay hidden from users, including hiding their icons, displaying continuous full-screen ads without permission, and launching phishing attempts. The attackers have been observed adapting their methods as their tactics are discovered, indicating a constant effort to stay ahead of detection systems.
One technique used by the attackers is disabling the Launcher Activity by default after download, only enabling it through native code after the installation process is complete. This allows the app icon to disappear from the device launcher, a behavior that is not permitted in newer versions of the Android OS. Some apps also abuse the Android Leanback Launcher, a launcher designed for Android TV, to evade detection.
The apps are able to display ads and launch phishing attacks without user permission by abusing API calls and native libraries. Users have been prompted to enter credentials for websites like Facebook and YouTube, as well as provide credit card information under false pretexts. In some cases, users have been misled into installing third-party apps that could contain dangerous malware like banking Trojans.
The attackers use custom command and control (C2) domains and employ various encryption methods to communicate with the malicious apps. Device information is extracted using a unique dictionary-based structure with constantly changing keys, making detection and analysis more challenging.
Overall, the ad fraud campaign targeting the Google Play Store highlights the ongoing challenges of app security and the need for constant vigilance to protect users from malicious activities. The findings from Bitdefender’s analysis shed light on the sophisticated tactics employed by cybercriminals to evade detection and carry out their fraudulent schemes.