Romanian cybersecurity firm Bitdefender has uncovered a malicious program involving over 60,000 Android apps that have been quietly installing adware on mobile devices for the past six months.
The apps are disguised as legitimate applications and have managed to evade detection for an extended period of time. A recently added anomaly detection feature to the Bitdefender Mobile Security software was instrumental in identifying malicious apps.
The campaign started in October 2022 and targeted users in the United States, South Korea, Brazil, Germany, the United Kingdom, and France. The adware mimicked the following types of apps:
- Game cracks
- Games with unlocked features
- Free VPN
- Fake videos
- Netflix
- Fake tutorials
- YouTube/TikTok without ads
- Cracked utility programs: weather, pdf viewers, etc
- Fake security programs
The malicious apps are not hosted on Google Play but are distributed through third-party sites found in Google Search results. When users visit these sites, they are redirected to pages displaying advertisements or prompted to download the desired app. The download sites are specifically designed to distribute the malware-laden Android apps as Android packages (APK) that infect devices with adware upon installation.
Once installed, the apps do not configure themselves to run automatically, instead relying on the normal Android app installation flow. They prompt users to open the app after installation. Additionally, the apps lack icons and utilize a UTF-8 character in their labels, making them harder to detect. If the user does not open the app, it remains dormant and is unlikely to launch automatically.
When launched, the app displays an error message claiming it is unavailable in the user’s region, but it actually remains on the device and activates after a two-hour delay, triggered by system boot-up or device unblocking. The app then connects to the attackers’ servers to retrieve advertisement URLs, which are displayed in the mobile browser or as full-screen WebView ads.
While the current adware campaign aims to generate revenue through aggressive ad pushing, Bitdefender warns that the threat actors behind it could easily switch tactics and introduce more malicious content, such as banking Trojans or ransomware.
Despite the efforts by Google Play to improve the app’s security, threat actors continue to find ways to distribute malicious apps, making it crucial for users to exercise caution while downloading such apps.
In the News: Spanish bank Globalcaja faces ransomware attack