Malicious Android apps deactivated fraud code to bypass Google's security scans

Trick didn't work. Google banned them anyway.

Android apps

Image via Rami Al-zayat on Unsplash

Security

Everything you need to know about viruses, trojans and malicious software

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Read More

Google has recently removed a suite of malicious Android applications from the official Play Store that were caught showing out-of-context ads and intrusive browser redirects on Android smartphones.

Bot mitigation company White Ops, which discovered and reported the malicious apps to Google's security team, said the apps were developed by the same criminal group.

Researchers said the group created at least 38 Android apps geared towards bombarding users with ads, but that recent applications had been modified to disable the malicious adware functions inside the source code, most likely to avoid Google's Play Store security scans during the app submission and approval process.

Hiding the malicious code was necessary because when the group first began creating the adware apps, they didn't have much success.

Operation started in January 2019

White Ops says the group has been active since January 2019, when it first began uploading apps on the official Play Store. Twenty-one of the group's 38 malicious apps were uploaded on the Play Store during this initial phase of their operation.

The apps were all focused on beauty-related topics, such as apps for taking selfies, or apps that added various filters to user photos. However, once installed, the apps showered users with ads, opened browsers to an online ad, and tried to prevent users from uninstalling them by hiding their app icons.

However, these apps weren't very sophisticated. While they passed Google's initial reviews, the apps were eventually detected as malicious.

White Ops says that most of these apps lasted, on average, around 17 days before being removed from the app store.

wo-app-lifetime.png

However, despite the short 17-day lifespan, most of the apps managed to amount quite the following, with an average of 565,833 installs.

Modus operandi changed last fall

But White Ops says the group didn't sit idly as Google kept taking down their initial apps. By September 2019, the group had changed their tactics by adopting two methods to hide their apps' malicious ad-bombarding code.

The first was to use Arabic characters in various places of their apps' source code. The idea was to prevent Google's reverse engineers from spotting glaring malicious functions by using Arabic text instead of English and even using verses from the Quran in some places.

Second, the group also began removing the malicious code outright. Since September 2019, the group has been busy uploading a batch of 15 beauty apps that had all their malicious ad-blasting functionality disabled.

This means the apps are "technically" clean and legitimate, but the code could be re-added via an update at any time in the future, which White Ops believes is very likely.

However, since the apps came from a known threat actor, Google has removed the apps to be on the safe side.

According to White Ops, the 38 malicious apps had been downloaded more than 20 million times since the group's operation began in January 2019. This is a pretty large number of impacted users for an operation that wasn't even very sophisticated, when compared to other Android adware strains.

ZDNet readers can find the names of the 38 malicious Android apps in this PDF file. Additional details about this malware campaign are available in White Ops' report, here.