Android adware tricks ad networks into thinking it's an iPhone to make more money

New Android adware discovered in 22 apps downloaded over two million times.

Android security: Adware reappears on Google Play The names of the apps were slightly different - but the malicious code was the same.

Google has recently removed 22 Android apps from the Play Store. The apps were removed for abusing Android devices to load and click on ads behind the users' backs.

Also: Best Green Monday 2018 deals: Business Bargain Hunter's top picks

The Google Play Store has been plagued by an adware epidemic these past few months, as ZDNet detailed in a previous article.

What made this particular Android adware campaign stand out wasn't the fact that the infected apps clicked ads behind users' backs, but the fact that the apps disguised the Android device as an iPhone in the eyes of online advertisers.

fake-ua-string.png
(Image: Sophos)

The reason for this highly unusual behavior is that ad networks value traffic from Apple devices more than Android, Linux, or Windows. This particular adware gang appears to have noticed this small detail and reacted accordingly.

22 adware apps found, downloaded more than 2 million times

Sophos Labs, the cyber-security firm which discovered these malicious apps and reported them to Google last month, said this adware operation appears to have started around June, this year.

Sophos malware researcher Chen Yu said the company identified 22 Android apps part of this campaign, all which have been collectively downloaded more than two million times from Google's official Play Store. Of the 22 apps, the most popular app was Sparkle, an Android flashlight app downloaded more than one million times.

Curiously, three of the 22 apps were created back in 2016 and 2017, and earlier versions were deemed clean prior to the June releases, suggesting that the app maker, most likely the same dev, had a change of heart regarding the apps' monetization strategy.

In a detailed analysis of the adware's modus operandi published last week, Chen said this particular strain was more aggressive than other previously discovered Android adware families.

Adware would re-start itself if shut down

The adware, which Sophos detects as Andr/Clickr-ad, would start a hidden browser window, change the browser's UserAgent string to an iPhone, access particular pages, and mimic clicks on ads shown on the page, generating a profit for the adware operator.


Must read


The aggressive part, Chen said, was that these apps also contained code that automatically re-started themselves after three minutes if the user would have closed its process. Chen said this would lead to an increase in battery consumption on infected phones.

Furthermore, just like all modern adware strains, Andr/Clickr-ad also contained the ability to download and run other files, but the operators of this adware didn't seem interested in abusing such functionality, being content with only generating profits via ad fraud.

Sophos published the list of all 22 apps that contained the malicious adware code. Chen said the same developers had also published iOS apps on the iTunes Store, but these apps didn't appear to include the ad-clicking code.

list-of-infected-apps.png
Image: Sophos

Related stories: