Trend Micro specialists found 85 applications in the Google Play catalog that displayed intrusive ads to users. In total, users have installed adware malware from Google Play more than 8 million times.
Malware, which received the identifier AndroidOS_Hidenad.HRXH, masks itself under variety of games and software for working with photos.So, among the malicious applications were Magic Camera, Make Magical Photos, Blur Photo Editor, Background Replacement, Find the difference: smart detective, as well as Color House2019.
“It isn’t your run-of-the-mill adware family: Apart from displaying advertisements that are difficult to close, it employs unique techniques to evade detection through user behavior and time-based triggers”, — report Trend Micro specialists.
Shortly after installation, such applications showed intrusive full-screen advertising to victims, making it difficult to close banners and making it impossible to work properly with the device.
Researchers note that after installation and launch, such applications also showed quite unusual behavior: they recorded two timestamps, installTime and networkInstallTime. Then the malware registered the Broadcast Receiver (an Android component that allows applications to receive and send reactions to system events or application events) for android.intent.action.USER_PRESENT. As a result, this allowed attackers to monitor user’s activity after each “wake up” of an infected device.
Read also: ESET specialists found Android-encoder in Reddit porn groups: How to stay safe? 😉
The malware compared the current time (system time of the device) with a tag saved as installTime; then compared the current network time (requested through the RESTful API) with the label saved as networkInstallTime. Next, the application determined whether it was installed on the device long enough (the delay time before the start of malicious activity was 30 minutes by default). If enough time has passed, the malware launched the hiding of its icon and creating a shortcut instead (to prevent easy removal).
Then, using the Broadcast Receiver to monitor user activity, the application proceeded to display ads. The installTime and networkInstallTime labels were also used to determine how long the malware was installed on the device. In addition, the malware regularly checked the latest ads to make sure that it did not show the same ad too often.
Currently, all malicious applications have already been removed from Google Play. A complete list of indicators of compromise can be found here.
According Trend Micro experts there are some ways to help lessen the adware’s impact.
For example, the latest Samsung Android devices have a feature that restricts the creation of shortcuts on the home screen, which can help users uninstall it. Android 8.0 and later versions also have a function that asks for user confirmation before an application is allowed to create a shortcut.
The apps will first hide their icon before generating a shortcut on the home screen; if the shortcut isn’t created, users could be made more aware of its more unusual behaviors. And apart from adopting best practices when securing mobile devices, it also pays to read the app reviews before installing them, as they can help raise red flags if they show suspicious behaviors.