Android malware apps with 2 million installs found on Google Play

A new batch of thirty-five malware Android apps that display unwanted advertisements was found on the Google Play Store, with the apps installed over 2 million times on victims’ mobile devices.

The apps were found by security researchers at Bitdefender, who employed a real-time behavior-based analysis method to discover the potentially malicious applications.

Following standard tactics, the apps lure users into installing them by pretending to offer some specialized functionality but change their name and icon immediately after installation, making them difficult to find and uninstall.

From then on, the malicious apps begin to serve intrusive advertisements to the users by abusing WebView, generating fraudulent impressions and ad revenue for their operators.

Additionally, because these apps use their own framework to load the ads, it would likely be possible to drop additional payloads on a compromised device.

Hiding methods

As Bitdefender explains in the report, the adware apps implement multiple methods to hide on Android and even receive later updates to make it easier to hide on devices.

After installation, the apps typically assume a cog icon and rename themselves as ‘Settings,’ to evade detection and deletion.

If the user clicks on the icon, the app launches the malware app with a 0 size to hide from view. The malware then launches the legitimate Settings menu to trick users into thinking they launched the correct app.

Function to launch system Settings (Bitdefender)

In some cases, the apps assume the appearance of Motorola, Oppo, or Samsung system apps.

The malicious apps also feature heavy code obfuscation and encryption to thwart reverse engineering efforts, hiding the main Java payload inside two encrypted DEX files.

Another method for the apps to hide from the user is to exclude themselves from the ‘Recent apps’ list, so even if they run in the background, exposing active processes won’t reveal them.

Popular apps serving ads

The 35 malicious Android applications have download counts ranging from 10,000 to 100,000, totaling over two million downloads.

The most popular of these, having 100k downloads each, are the following:

Walls light – Wallpapers Pack (gb.packlivewalls.fournatewren)
Big Emoji – Keyboard 5.0 (gb.blindthirty.funkeyfour)
Grand Wallpapers – 3D Backdrops 2.0 (gb.convenientsoftfiftyreal.threeborder)
Engine Wallpapers (gb.helectronsoftforty.comlivefour)
Stock Wallpapers (gb.fiftysubstantiated.wallsfour)
EffectMania – Photo Editor 2.0 (gb.actualfifty.sevenelegantvideo)
Art Filter – Deep Photoeffect 2.0 (gb.crediblefifty.editconvincingeight)
Fast Emoji Keyboard APK (de.eightylamocenko.editioneights)
Create Sticker for Whatsapp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix)
Math Solver – Camera Helper 2.0 (gb.labcamerathirty.mathcamera)
Photopix Effects – Art Filter 2.0 (gb.mega.sixtyeffectcameravideo)
Led Theme – Colorful Keyboard 2.0 (gb.theme.twentythreetheme)
Animated Sticker Master 1.0 (am.asm.master)
Sleep Sounds 1.0 (com.voice.sleep.sounds)
Personality Charging Show 1.0 (com.charging.show)
Image Warp Camera
GPS Location Finder (smart.ggps.lockakt)

Of the above, ‘Walls light – Wallpapers Pack’, ‘Animated Sticker Master’, and ‘GPS Location Finder’ are still available on the Play Store when writing this article.

Adware still available on the Play Store

Bleeping Computer has contacted Google on the matter, and we will update this post as soon as we receive a response.

The rest of the listed apps are available on multiple third-party app stores like APKSOS, APKAIO, APKCombo, APKPure, and APKsfull, but the presented download counts are from their time on the Play Store.

That said, if you have installed any of these apps in the past, you should locate and remove them from your device immediately.

Because the apps masquerade themselves as Settings, running a mobile AV tool to locate and remove them might be helpful in this case.

Comments

beepboopboopbleeep – 3 days ago
Wondering why it is at all possible that an installed app changes its name after installation. That alone is a serious security concern and seems to be an unsolved issue in Android OS.
Donaldmagee – 2 days ago
Thanks for posting this informative content!
Liggliluff – 13 hours ago
On the thing about apps changing name and icon after installation, that’s just a misconception of what actually going on.

An apk has one or multiple icons (which can change depending on locale), and one or multiple names (which can also change depending on locale). When you add an app to Google Play, you again have to set up the name and icon there, per locale. This means you can just set these as different things, and you’ll get different things after installation. This is for example the thing with com.discord: the apk uses “Discord”, but on Google Play it’s “Discord: Talk, Chat & Hang Out”.

An easy solution here is that Google removes the option from Google Play to set your own name and icon, and have it read straight from the apk itself.

But a problem is that a lot of popular apps add this tiny tagline to the name: Spotify, SoundCloud, Twitch, LinkedIn, Amino, …

So with this solution, adding a tiny tagline should maybe be a feature.