Adware Hidden In Play Store Apps Infects 8 Million Users

Google has removed some 85 apps from the Play Store after they were found to be thinly disguised adware.

The apps, which appeared to be games or photography utilities, used “unique techniques” to evade detection, according to Ecular Xu, a researcher at Trend Micro, which discovered the malware.

The apps, which bombarded users with full-screen ads, also tried to make themselves more difficult to remove.

Altogether they have been downloaded 8 million times, Xu said.

Mobile adware

“While they may be viewed as a nuisance at best, mobile ad fraud– and adware-related incidents became so rampant last year that it cost businesses hefty financial losses,” said Xu in an advisory.

The apps all contained the same malware, which Trend Micro detects as AndroidOS_Hidenad.HRXH.

They made use of unusual features to avoid detection, including using time-stamps to delay displaying ads until after the app had been installed for 30 minutes.

The malware also uses the Android intent action USER_PRESENT to help detect whether the user is actively using the phone.

Assuming these conditions check out, the app begins displaying full-screen ads each time the user unlocks the device.

The ads can last up to five minutes and while they’re playing they can’t be switched off.

Removal

The malware also tries to make itself more difficult to uninstall by hiding its icon and making an app shortcut appear on the home screen in its place.

Unlike the app icon, the shortcut can’t be used to quickly uninstall the app, forcing the user to go into app settings to do so.

Xu noted that some Android devices allow users to restrict apps from creating home screen icons, or require user approval to do so.

“If the shortcut isn’t created, users could be made more aware of its more unusual behaviors,” Xu said.

Trend Micro provided indicators of compromise in its advisory.

Google routinely detects and removes adware and other malware from the Play Store.