Over 60,000 Android Apps have been discovered to have been disguising themselves as genuine applications and stealthily implanting adware onto unsuspecting mobile devices for the past six months. The campaign is believed to have started in October 2022 and has used a number of different techniques to distribute the malicious software, including fake security software, game cracks, VPN software, NetflixFake, and utility apps on third-party sites, among other things.
It has been revealed that the malware is strategically designed to emerge when users search for apps, mods, cracks, and related materials, resulting in an organic distribution pattern. It is noteworthy that there has been an increase in the use of modded apps as a profitable market for these services has developed, which has led to many specialized websites entirely dedicated to offering these tempting collections.
According to reports from cybersecurity experts who discovered the malicious software and have been monitoring its progress, the affected users came from several countries, including the United States, South Korea, Germany, France, Brazil, and the UK. While Google Play remains safe from malicious apps as they prefer to reside on third-party websites discovered via Google search, users should expect to be redirected to websites that showcase advertisements or encounter prompts encouraging them to download the requested application while browsing these websites.
In response to this malware campaign, Bitdefender has developed an anomaly detection feature that has been integrated into its Mobile Security software, which has proved effective in identifying the malicious apps. The campaign has been found to utilize purposely designed download platforms that function as distribution hubs for Android apps that are embedded with malicious code and are capable of infecting Android devices with adware upon installation.
These apps deliberately avoid an icon and incorporate a UTF-8character within the app’s label to render them harder to identify and make them more challenging to locate. After the installation, the app does not self-configure, avoiding additional privileges and prompting users to manually open the app. The app enters an inactive phase for two hours, during which it registers two ‘intents’ that trigger its launch upon device boot or unlocking, during which it will establish a link to the servers that are under the control of the attacker. From these servers, it will start retrieving the advertisement URLs, which will be showcased within the mobile browser or Full-screen WebView ad.
The primary purpose of the malicious apps remains to exhibit advertisements, and researchers warn that the threat actors can easily replace the adware URLs with websites of a more threatening nature. As the malware continues to remain active, security experts have compiled a list of malicious domains and IOCs (Indicators of Compromise) that users should avoid to prevent the adware’s installation on their devices.
Given the growing threat of adware and malicious apps, companies must take proactive measures to secure their IT environment and device endpoints. These proactive measures should include a robust endpoint protection solution integrated with advanced detection and response capabilities. Furthermore, it is best to avoid downloading apps from third-party websites, as the risk of downloading malware always exists.
Users must remain vigilant by staying aware of the latest cybersecurity threats and keeping their mobile devices updated with the latest security patches and updates to stay ahead of evolving threats. By doing so, users can protect their sensitive information and guard against adware and malware that can compromise device performance and security.