42 Phony Google Play Apps Delivered Adware: ReportFake Apps Downloaded More Than 8 Million Times, ESET Researchers Say
Some 42 apps that were available in the Google Play store had been delivering adware to Android devices for about a year, according to the security firm ESET. In the 12-month period starting in July 2018, these apps were downloaded about 8 million times to Android devices around the world, the researchers say.
Although the Google security team has removed all the apps from the Google Play store, ESET found that many are still available in third-party app stores.
Once downloaded, these apps connect to a command-and-control server and deliver unwanted advertising to a user's Android device at certain intervals, generating income on ad views for the fraudsters, the researchers say. In addition, the malware collects details and data from these devices and then sends that back to the adware developers, the report notes.
The information collected includes device type, the version of Android running, language, number of installed apps, free storage space, battery status, whether the device is rooted and "developer mode" is enabled, and whether Facebook and Facebook Messenger are installed, the researchers say.
The data collected could be used to help deliver other types of malware, the researchers say.
By using open source information and investigating the IP address of the command-and-control server, the ESET researchers traced these malicious apps back to a former Vietnamese college student, the report notes. ESET did not name the individual, but the analysts note they also found the former student's GitHub page, where he advertised himself as an Android developer.
The ESET researchers say that they found similar apps in the Apple App Store created by the same developer, although it did not appear that these apps had the same adware function, the report shows.
The adware that ESET discovered uses several tactics and techniques to make sure it remains undetected, the research shows.
After one of these apps is downloaded, it first runs a test to check if the device is being tested by the Google Play security mechanism. Once the test result comes negative, the adware sets a time delay to start displaying advertisements, the research shows. This helps make sure that the user does not associate the particular app with the unwanted advertisements, researcher say.
At the same time, the app connects to the command-and-control server and begins sending data back to the developer who created it.
To ensure that the adware continues to run, the malicious app also hides its icon and creates a shortcut instead, according to the researchers. "If a typical user tries to get rid of the malicious app, chances are that only the shortcut ends up getting removed. The app then continues to run in the background without the user’s knowledge," the researchers note.
This type of adware takes advantage of victims of who might download apps and then not check what's going on in the background of their smartphone or other device, security experts say.
"This is a great example of an upstream or side-channel attack. We trust any software that gives us functionality and ignore what else the software might be doing," says Thomas Hatch, CTO at SaltStack, which offers cloud and security configuration tools. "This addiction to functionality is pushing an ever-widening gap between secure and safe computing and the never-ending barrage of new apps. This type of attack is in full swing today and the issue continues to grow."
In September, security firm AdSecure released a study that found adware increased a staggering 4,000 percent from the first quarter to the second quarter of 2019. Many of these adware campaigns go undetected for long periods of time, and cybercriminals are using the malware for more than delivering annoying ads. Many times, adware is used to spy on people or as part of a cryptomining scheme, the AdSecure report notes.
Emsisoft, another security firm, found that cybercriminals have started to use adware to deliver ransomware to devices (see: Ransomware Attacks: STOP, Dharma, Phobos Dominate).