A recently identified adware campaign has gathered over 9 million downloads via 111 infected applications distributed through Google Play, Trend Micro’s security researchers reveal.
Discovered last month but active since 2018, the campaign has been using a total of 182 free-to-download game and camera apps, including 71 found on third-party stores that host generic applications, such as 9Apps and PP Assistant.
Of the 111 apps in Google Play, 43 were found to be unique or to have distinct features. The rest of them were iterations or duplicate apps.
Analysis of package names, labels, publishing times, offline times, code structures, and code styles and features revealed that all of these applications are part of the same campaign, although they have been submitted by different developers.
The analysis also revealed that most of the apps had been previously removed from Google Play, except for 8 apps. While these have also been removed in the meantime, they did manage to gather a total download count of 9,349,000, the researchers explain.
After installation, the fake applications distributing the adware run as intended for a specific time, after which they hide their icon from the user, to prevent removal.
The adware was designed to display full-screen ads whenever a user unlocks the infected phone’s screen. The adware is set to display the advertisements for a given time window and with a certain frequency, the highest of which was found to be 5 minutes.
The full-screen ads pop up on the phone’s screen even when the app is not running and they cannot be immediately closed or exited. When the user hits the back button to close the ad, an “open with” call-to-action message is shown instead.
“This adds to the cybercriminal’s mobile ad revenue and to the user’s annoyance. The button to close the ad will appear only after a set number of seconds has elapsed,” Trend Micro explains.
The campaign operators were observed actively evolving and strengthening it to maximize profits. More recent versions of the adware remain dormant for 24 hours before executing a scheduled task on the infected device, which allows the evasion of regular sandbox detection techniques.
The lengthy delay time before any malicious activity is performed also delays the connection to the command and control (C&C) server, thus allowing the adware to avoid being flagged by anti-virus solutions and analysis tools.
To manually remove the fake apps, users should go to Settings, click on Apps and Notifications, and then select All apps. Then, they should simply scroll to the application they want to remove, select it, and click on Uninstall.
“Cybercriminals are finding new ways to make mobile threats more surreptitious and evasive to profit from users, not just by deploying adware but even by stealing sensitive information. This is why mobile devices should have comprehensive security and software program against mobile malware,” Trend Micro concludes.