According to recent reports, a considerable number of adware apps have been uncovered on Android devices. This campaign, which began in October 2022, involves adware masquerading as cracks or modded versions of popular applications. These apps serve unwanted ads to users with an aggressive push to drive revenue. Worryingly, the threat actors can readily switch tactics to redirect users to other types of malware, such as banking Trojans for credential and financial theft or ransomware.
The extent of the Adware Campaign
Bitdefender, a Romanian cybersecurity firm, has discovered approximately 60,000 unique applications carrying the adware. Notably, the majority of these detections were made in the U.S., South Korea, Brazil, Germany, U.K., France, Kazakhstan, Romania, and Italy.
What sets this adware campaign apart is its evasion tactics. None of the infected apps are distributed through the official Google Play Store. Instead, users searching for apps like Netflix, PDF viewers, security software, and modded versions of YouTube on a search engine are redirected to an ad page hosting the malware. Once installed, these apps have no icons or names, making them hard to detect.
The Deception
Upon launching the app for the first time after installation, users see a message that the “Application is unavailable in your region from where the app serves. Tap OK to uninstall”. This, however, activates the malicious activity in the background. The adware remains dormant for a few days before awakening when the user unlocks the phone to serve a full-screen ad using Android WebView.
Related Discoveries
Apart from Bitdefender, other cybersecurity firms have also reported related findings. For instance, CloudSEK identified the rogue SpinOK SDK – in 193 apps on the Google Play Store, downloaded 30 million times. This trojan masquerades as a module designed to engage users with mini-games and tasks for rewards while secretly stealing files and replacing clipboard contents.
Simultaneously, the SonicWall Capture Labs Threat Research team found another strain of Android malware. This one impersonates legitimate apps to harvest a broad range of information from compromised devices by exploiting the operating system’s accessibility services. These features can lead to various forms of fraud, including financial fraud and identity theft.
Specifics of the Malware Operation
The malware achieves ad delivery through various techniques like taking over the screen, sending notifications, opening browser tabs, and playing videos. The malware doesn’t create a launcher icon. Instead, it relies on the user to launch them via deceptive notifications. When opened, the app shows an error message and offers to uninstall itself. However, this button doesn’t remove the app. Instead, it hides in the background and feeds ads into the experience as the user operates the phone.
Implications and Consequences
With 55% of apps targeting American users, this malware operation has managed to penetrate the US market significantly. Other countries significantly impacted include South Korea, Brazil, and Germany. Although the primary aim appears to be ad revenue generation, the operators could easily swap in a data stealer or ransomware module to extract more money from the victims.
Precautionary Measures
The best way to stay safe from such threats is by avoiding sideloading apps from suspicious third-party stores. Users are encouraged to download apps only from trusted sources like the official Google Play Store. Furthermore, maintaining updated security software on your devices can help detect and prevent such intrusions.
Future Perspectives and the Role of Anomaly Detection
Bitdefender’s new anomaly detection technology was instrumental in uncovering this malware campaign. By leveraging advanced machine learning techniques, this technology can identify unusual patterns and behaviors that may signify a potential threat. As cyber threat actors continue to evolve their tactics, this type of proactive approach will likely become even more critical in the fight against mobile malware.
Despite the significant number of detections, researchers believe more apps are distributing the same malware in the wild, indicating an ongoing and escalating threat.
Distribution Tactics
- The campaign’s distribution seems organic and automated, appearing when users search for the types of apps it hides behind. This trend is a popular one in the distribution of malicious apps.
- Once users find the malware disguised as a legitimate app from a Google search, they get redirected to a random ad page, which is often a download page for malware.
The Modus Operandi of the Android Malware
When installing a downloaded application, the last screen prompts to “Open” the app. For the malware, this is all it needs to ensure it won’t be removed. The app shows an “application is unavailable” message to trick the user into thinking it was never installed.
After installation, the app “sleeps” for two hours before registering two “intents” that cause the app to launch when the device is booted or unlocked. Upon launch, the app contacts the attackers’ servers and retrieves ad URLs to be displayed in the mobile browser or as a full-screen WebView ad. At this point, attackers can also redirect users to other types of malware, such as banking Trojans, to steal credentials and financial information or ransomware.
Conclusion
With this large-scale adware campaign, it is evident that malware threats are continuously evolving and increasing in sophistication. Users must stay vigilant and exercise caution when downloading apps, especially from third-party sources. Leveraging advanced security tools, like anomaly detection technologies, is crucial to mitigate these threats and safeguard users’ data.
