Google has pulled down three apps from its Play app store that were pushing unwanted ads to Android users, but only after they were installed by millions.
The three apps were reported to Google yesterday by security firm Avast, which discovered the apps had sneaked past Google's Play store checks despite clearly suspicious behaviour.
One of the three apps, a card game aimed at English-language users called Durak, had been installed between five million and 10 million times since December last year, according to Google's stats. The other two apps targeted Russian-speaking users, including an IQ test app and a Russian history app.
As one victim highlighted in a video posted in January, once a device woke up, the malicious app began displaying system notification-style messages that urged the user to 'click ok' to fix up non-existent problems, such as a slow internet connection. Once the user has hit 'OK', the app then redirected them to other apps on Google Play, in some cases to legitimate security apps.
Avast mobile malware analyst Filip Chytry noted that in some cases the apps also attempt to nudge users to third-party app stores.
Durak, in particular, may have been able to rack up millions of installs because it initially functions as a normal gaming app.
"This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors," said Chytry.
"After 30 days, I guess not many people would know which app is causing abnormal behaviour on their phone, right?"
That's the real challenge for users if they've installed these apps: it's difficult to tell which app on a device is triggering the fake ads and therefore hard to say which one should be removed. The messages will continue to display even if a real security product is installed.
Avast reported the suspect apps to Google yesterday and as of Wednesday the three apps had been removed for the Play store. Users on Avast forums, however, claimed to have reported the apps to Google in late January.
Adware apps like these appearing on Google Play are not good news for Google, which has tightened up its developer policies over the past few years to prevent scams.
Besides an outright ban on virus, worms, and trojans, Google's developer content policy outlaws advertisements through system-level notifications unless it's an integral feature of an app.
In this case, the malicious ads were being served by three legitimate third-party ad networks. The instructions for displaying ads - and for the apps to wait for weeks before doing so - are contained in an Android package file (APK) in the advertising software developer kit (SDK).
An Avast forum user points out the "APK file contains config file for 'mobi.dash' ad sdk. It is called 'ads_settings.json' and it is stored under 'res\raw' folder. It configures how long app should wait before showing ads (e. g. 'overappStartDelaySeconds' property, in this particular case it has 86400 value, which means one day, 24 hours * 60 minutes * 60 seconds).
"Also APK file contains malicious code inside package 'mobi.dash.*'. For example there is class called 'mobi.dash.homepage.AdsHomepageUtils' which can change browser homepage and 'mobi.dash.shortcuts.AdsShortcutUtils' which creates launcher shortcuts when command server sends appropriate message."
Read more on this story