Almost two and a half million Android and iPhone users downloaded seven adware apps from the Google Play Store and Apple App Store, according to research by a cybersecurity company.
Many of the apps were being promoted via TikTok and Instagram accounts – one of which had over 300,000 followers. Detailed by cybersecurity researchers at Avast, the apps have been brought to the attention of Apple and Google.
The apps themselves are all relatively simple – prank applications to 'shock' friends, music downloaders and wallpaper apps, but they all aggressively display pop-ups which either outright charge users for using additional functions, or display adverts that take up the entire screen, requiring users to click on them to remove them. Both schemes generate revenue for those behind the apps.
One of of the ways the apps have managed to bypass security protections of official Android and Apple app stores is because they're HiddenAds trojans, which while appearing legitimate to app store protections, push malicious functionalities from outside the application.
That means the activity only emerges once the app has been installed by the user and the permissions provided enable the app to receive instructions from outside the app – which in this case is to display intrusive adverts and demand individual charges of up to $8 from users.
"The apps we discovered are scams and violate both Google's and Apple's app policies by either making misleading claims around app functionalities, or serving ads outside of the app and hiding the original app icon soon after the app is installed," said Jakub Vávra, threat analyst at Avast.
The apps that have been removed from Google Play include ThemeZone - Shawky App Free - Shock My Friends, Ultimate Music Downloader - Free Download Music. Another set of apps including Shock My Friends – Satuna, 666 Time, ThemeZone - Live Wallpapers and shock my friend tap roulette v are no longer available from the Apple App store in the UK.
While adware, malware and other malicious apps can be difficult to identify, one way users can protect themselves is by not installing them in the first place and by carefully reading reviews of apps because low reviews and complaints about functionality or excess charges could indicate something is wrong.
Users should also be wary of apps that charge excessive amounts for basic features as it's likely a sign that something isn't right, while it's also a good idea to check the permissions the app asks for, because asking for excessive access to the device could also be a sign that something isn't right.
The researchers note that one of the apps requests access to a device's external storage, which can include photos, videos, and files, depending on how the storage is used. "Accessing external storage is not a must for a wallpaper app," said Vávra.
"So rather than just tapping 'Allow' the next time a new app asks for certain permissions, take a minute to think about whether or not it really needs that access. Does a weather app need to access your microphone? Nope. Does a wallpaper app need to access your storage? Nope. That's a sign the app is likely a scam," he added.
Google told ZDNet that the offending apps have been removed from the store – although ZDNet has informed Google that at the time of writing one remains. Apple hasn't responded to a request for comment.
MORE ON CYBERSECURITY
- Android security: Six more apps containing Joker malware removed from the Google Play Store
- 4 signs your Android phone has hidden malware, and how to deal with it CNET
- Now this Android spyware poses as a privacy tool to trick you into downloading
- Almost half of mobile malware are hidden apps TechRepublic
- This is how malicious Android apps avoid Google's security vetting