Malicious Android photography, gaming apps downloaded 8 million times from Google Play

Users of 85 apps were spammed with relentless fullscreen advertising.
Written by Charlie Osborne, Contributing Writer

Google has eradicated 85 Android apps from the Google Play Store after researchers found they were nothing more than adware posing as legitimate software. 

Trend Micro mobile threat response engineer Ecular Xu said the apps masqueraded as photography utilities and games to lure Android handset users to download them, but once installed, they would push advert after advert and make it exceedingly difficult to close ads and maintain general smartphone functionality. 

The adware-laden applications included Magic Camera: Make Magical Photos, Blur Photo Editor, Background Replacement, Find the difference: smart detective, and Color House2019. 

Each would serve adware detected by the cybersecurity firm as AndroidOS_Hidenad.HRXH. In total, the apps account for over eight million downloads. 


Trend Micro says the adware served is not typical, run-of-the-mill code. After launch, two timesteps are recorded, the current time and time of installation --  installTime and networkInstallTime -- and the adware would then register a Broadcast Receiver that allows Android apps to send or receive system and app events. 

See also: These malicious Android apps will only strike when you move your smartphone

Whenever an impacted device is unlocked, the timestamps are first checked to see if the adware has been installed for over 30 minutes, a technique designed to evade sandboxing and analysis attempts. 

If the device passes the time check, the adware will then create a home screen shortcut and hide its icon to prevent easy uninstallation. 

Adverts are then displayed to unwitting users whenever the device is unlocked. Time checks are still in play and used to make sure the same ads are not displayed too frequently. 

In what is seriously invasive and annoying to users, each advert is displayed in a fullscreen mode, which forces device owners to watch the entire advert before being able to exit the screen or return to the app. 

Fraudsters are able to remotely control the duration of ad viewing, up to a maximum of five minutes. 

CNET: The best password managers of 2019 and how to use them

Trend Micro disclosed its findings to Google and all of the apps have now been removed. 

To many of us, adware is simply a nuisance. However, ad fraud costs legitimate networks, publishers, and related businesses dearly. Ad spending on mobile platforms is estimated to reach $87 billion in 2019, and it is believed publishers lost $2.3 billion to fraudsters in the first half of this year alone. 

As highlighted by Trend Micro's research, over half -- 57 percent -- of fraudulent mobile apps are categorized as "Games" or "Tools and Utilities," according to DoubleVerify estimates. 

Indicators of Compromise (IoCs) can be found here (.PDF). 

TechRepublic: How to prevent data destruction from cybersecurity attacks

It is far from only adware that causes a headache for Google -- other versions of malware, spyware, and stalkerware are also constantly appearing, being reported, and being removed from the Google Play Store. 

Last month, Google performed a clean sweep of the platform by removing numerous stalkerware apps provided by a Russian developer. These apps were advertised as technological means to monitor employees or to keep children safe, but the invasive nature of these apps can also be used for covert spying on partners and family members.

Many of 2018's most dangerous Android and iOS security flaws still threaten your mobile security

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards