Security Experts:

Connect with us

Hi, what are you looking for?



Adware Gathers 9 Million Downloads in Google Play

A recently identified adware campaign has gathered over 9 million downloads via 111 infected applications distributed through Google Play, Trend Micro’s security researchers reveal.

A recently identified adware campaign has gathered over 9 million downloads via 111 infected applications distributed through Google Play, Trend Micro’s security researchers reveal.

Discovered last month but active since 2018, the campaign has been using a total of 182 free-to-download game and camera apps, including 71 found on third-party stores that host generic applications, such as 9Apps and PP Assistant.

Of the 111 apps in Google Play, 43 were found to be unique or to have distinct features. The rest of them were iterations or duplicate apps.

Analysis of package names, labels, publishing times, offline times, code structures, and code styles and features revealed that all of these applications are part of the same campaign, although they have been submitted by different developers.

The analysis also revealed that most of the apps had been previously removed from Google Play, except for 8 apps. While these have also been removed in the meantime, they did manage to gather a total download count of 9,349,000, the researchers explain.

After installation, the fake applications distributing the adware run as intended for a specific time, after which they hide their icon from the user, to prevent removal.

The adware was designed to display full-screen ads whenever a user unlocks the infected phone’s screen. The adware is set to display the advertisements for a given time window and with a certain frequency, the highest of which was found to be 5 minutes.

The full-screen ads pop up on the phone’s screen even when the app is not running and they cannot be immediately closed or exited. When the user hits the back button to close the ad, an “open with” call-to-action message is shown instead.

“This adds to the cybercriminal’s mobile ad revenue and to the user’s annoyance. The button to close the ad will appear only after a set number of seconds has elapsed,” Trend Micro explains.

The campaign operators were observed actively evolving and strengthening it to maximize profits. More recent versions of the adware remain dormant for 24 hours before executing a scheduled task on the infected device, which allows the evasion of regular sandbox detection techniques.

The lengthy delay time before any malicious activity is performed also delays the connection to the command and control (C&C) server, thus allowing the adware to avoid being flagged by anti-virus solutions and analysis tools.

To manually remove the fake apps, users should go to Settings, click on Apps and Notifications, and then select All apps. Then, they should simply scroll to the application they want to remove, select it, and click on Uninstall.

“Cybercriminals are finding new ways to make mobile threats more surreptitious and evasive to profit from users, not just by deploying adware but even by stealing sensitive information. This is why mobile devices should have comprehensive security and software program against mobile malware,” Trend Micro concludes.

Related: Google Play Apps Expose Tens of Millions to Adware: Sophos

Related: Lenovo Pays $7.3 Million to Settle Superfish Adware Lawsuit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...