Android malware found inside apps downloaded 500,000 times

Attackers managed to serve up adware to large number of victims.
Written by Danny Palmer, Senior Writer

Video: In the battle against malware, Google adds Play Protect logo to certified Android devices

Cybercriminals have distributed malware to hundreds of thousands of Android users by hiding it inside a series of apparently harmless apps.

The malware was sneaked onto the Google Play store disguised as seven different apps -- six QR readers and one 'smart compass' -- and bypassed security checks by hiding its true intent with a combination of clever coding and delaying its initial burst of malicious activity.

Following installation, the malware waits for six hours before it begins work on its true purpose -- serving up adware, flooding the user with full screen adverts, opening adverts on webpages, and sending various notifications containing ad-related links.

All of this activity was designed with the intent of generating click-based revenue for the attackers -- even when the app itself isn't actively running.

The general purpose nature of the apps allowed the attackers to pull in a large number of downloads. Uncovered by researchers at SophosLabs, the malware dubbed Andr/HiddnAd-AJ, is thought to have infected at least a million users, and potentially many more, as one of the malicious apps was downloaded 500,000 times before being pulled by Google.


Some of the malicious apps used to deliver the malware.

Image: SophosLabs

When one of the malicious apps is first run, it calls home for configuration information on a server controlled by those behind the scheme.

Crucially, in order to hide the nefarious nature of the download, no malicious operations are run on an infected device for the first few hours after installation. However, once a period of grace has passed, the configuration download from the server will run, providing a list of URLs, messages, icons, and links -- all for pushing ads onto the victim.

In addition to the malicious activity initially being hidden, the malware is helped by the code for the adware being embedded in what looks like a standard Android programming library within the files of the app.

See also: How to build a successful career in cybersecurity (free PDF)

In addition to the standard programming subcomponents of the app, the attackers add a 'graphics' section, which looks innocent, but contains instructions for getting all the information and files required for running malicious adverts.

Upon discovering the malicous apps, Sophos informed Google, which has now removed the apps from the Play Store.

Nonetheless, despite Google's failure to spot the malicious nature of these apps, Sophos recommends Android users stick to downloading apps from the Play Store -- because it's still safer than third-party Android app stores.

The official nature of the Play Store also means that if malicious apps slip through the cracks, users can help alert Google about the threat.

"If you find a dodgy app in the Play Store, it is worthwhile reporting it, on the computer security principle that an injury to one is an injury to all," Paul Ducklin, senior technologist at Sophos, told ZDNet.

Now read: Information security policy

"After all, if your report helps to convince Google to remove the offending app, you just played a positive part in preventing anyone else from downloading it in future."

A Google spokesperson told ZDNet that Sophos had informed them about the malware and that it has now been removed from the Play Store.

A recent report by Google said the company detected 99 percent of apps with malicious content before anyone could install them and the vast majority of its two billion Android users are safe from malware.

Nonetheless, with a user base that large, even a small percentage of malicious apps slipping through the net can result in millions of users inadvertently becoming victims.

Recent and related coverage

BlackBerry CEO says security is key competitive advantage over other Android handsets

At CES 2018, BlackBerry CEO John Chen said the company's phones (now manufactured and sold by TCL) are the most secure Android phones.

Android security triple-whammy: New attack combines phishing, malware, and data theft

Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers.

Phoney Android security apps in Google Play Store found distributing malware, tracking users

36 apps that posed as tools to keep users safe from attacks were actually installing malware on their devices.


Editorial standards