Android malware disguises as ad blocker, but then pesters users with ads

Oh, the irony!
Written by Catalin Cimpanu, Contributor

Security researchers have discovered a new Android malware strain that's currently being distributed as an ad blocker for Android users, but, ironically, once installed, it pesters victims with ads through multiple methods at every couple of minutes.

Named FakeAdsBlock, this new strain has already infected at least 500 users, according to Malwarebytes, the antivirus maker who spotted the malware.

Its distribution vector is via third-party app stores, where it's available for download as an ad-blocking app named Ads Blocker, said Nathan Collier, Senior Malware Intelligence Analyst.

This, however, might change in the future. Collier said they already found evidence that the same FakeAdsBlock malware was also available hidden in apps named "Hulk (2003).apk," "Guardians of the Galaxy.apk," and "Joker (2019).apk." The researcher says this suggests that the malware's creators were in the midst of shifting their distribution pattern to a bogus movie streaming portal.

Users looking to watch pirated movies would eventually end up installing a malicious app infected with FakeAdsBlock. This distribution vector isn't new and has been often seen being used before -- especially with apps that pertain to grant access to adult movies.

FakeAdsBlock modus operandi

As for the malware itself, FakeAdsBlock is something else, especially in the brash way it bombards users with ads.

All of this starts with its installation process, where the Ads Blocker app (in which the malware is hidden) asks for permission to display content over other apps.

This is an odd permission to request, especially for an app with a stated goal of removing content, and not showing something on top.

But the shady things continue. The app also requests access to install a VPN connection, which, again, is very odd.

"To clarify, the app doesn't actually connect to any VPN," Collier said. "Instead, by clicking OK, users actually allow the malware run in the background at all times."

Image: Malwarebytes

Yet, the shady things don't stop here. The FakeAdsBlock malware also requests access to show a widget on the device's home screen. This makes no technical sense, as an ad blocker does not need to show widgets -- but more on this later.

Once all this finishes, the app shows a screen with some text scrolling down and then disappears for good. The malware then removes its icon, and the ad bombardments begin. These appear everywhere, in different forms.

There are fullscreen ads, notifications spam, and websites that open out of the blue, prompting the user to enable new notifications here too.

Image: Malwarebytes

But the novel and the most perfidious trick is the use of a home screen widget to show ads, something not seen before.

According to Collier, the FakeAdsBlock malware uses a transparent widget inside which it loads ads at regular intervals. Because the ads are shown inside a widget, they can't be dismissed unless the user removes the widget. But since the user can't see the widget on their screen, they never know the widget is there, in the first place.

Image: Malwarebytes

"Ads Blocker is inordinately hard to find on the mobile device once installed," Collier said. "To start, there is no icon for Ads Blocker. However, there are some hints of its existence, for example, a small key icon status bar." [see image above]

"This key icon was created after accepting the fake VPN connection message, as shown above. As a result, this small key is proof that the malware is running the background," the Malwarebytes researcher added.

But once users get an idea that something might be wrong, they can head over to the Android OS' apps section, from where they can remove it like any other app. Here, the app should be easy to spot, as it's the only one without an icon or a name. The FakeAdsBlocker authors thought they were smart by hiding these two details, but they actually made it stand out further.

Image: Malwarebytes
Editorial standards