This article appeared in Threat Post on January 9, 2019.
Once downloaded, the fake apps hide themselves on the victim’s device and continue to show a full-screen ad every 15 minutes.
At least 85 fake apps harboring adware, disguised as game, TV, and remote control simulator apps have been removed from the Google Play app store.
Researchers with Trend Micro said Tuesday that they found an active adware family in fake apps on the Google Play store that had been downloaded a whopping 9 million times around the world. Once downloaded, the fake apps hide themselves on the victim’s device and continue to show a full-screen ad every 15 minutes.
“This adware is capable of displaying full-screen ads, hiding itself, monitoring a device’s screen unlocking functionality, and running in the mobile device’s background,” Ecular Xu, mobile threat response engineer with Trend Micro, said in the report. ” After verifying our report, Google swiftly suspended the fake apps from the Play store.”
Google did not respond to a request for comment from Threatpost.
After the initial ad is closed, the fake app would then show prompts like “start,” “open app” or “next” – but tapping on these buttons brings up yet another full-screen ad.
The app then informs the user that it is loading or buffering – but then disappears from the phone’s screen and hides the apps’ icon on the device. Researchers said that the fake app still runs in the device’s background after hiding itself, and is configured to keep showing ads on the user’s device at regular intervals.
Some of the fake apps exhibit an even trickier behavior, where they monitor the victim’s actions and show an ad each time the user unlocks the mobile device’s screen, researchers said.
These apps are able to do so by registering “a receiver module…in AndroidManifest.xml so that each time a user unlocks the device it will then trigger a full-screen ad pop up,” according to Xu.
Though they come from different companies, researchers said that the fake apps appear to have similar behaviors, and share the same code, indicating that the adware is from the same family: “We tested each of the fake apps related to the adware family and discovered that though they come from different makers and have different APK cert public keys, they exhibit similar behaviors and share the same code,” they said.
One of the most-downloaded apps containing adware is the “Easy Universal TV Remote,” which said it allows users to control their TVs using their smartphones. The app, offered by a firm called “Big Fishes,” was downloaded more than 5 million times.
Negative ratings in the review section of the app on Google Play gave away suspicious clues that the app was adware, including claims that it was causing phones to crash and that it was vanishing into thin air after download.
In order to remove the fake apps, users can manually uninstall them on the phone’s app uninstall feature. However, “it can be difficult to get there when full-screen ads show up every 15 or 30 minutes or each time a user unlocks the device’s screen,” researchers said.
Easy Universal TV Remote
Adware has continued to pop up on official app marketplaces. Last year, Google removed 22 malicious adware apps ranging from flashlights, call recorders to WiFi signal boosters that had been downloaded up to 7.5 million times from the Google Play marketplace.
Mike Bittner, digital security & operations manager at The Media Trust, said that adware is more than just an annoyance: It can potentially be used for more malicious purposes like directing devices to steal information linked to the user’s device; downloading unwanted files; and redirecting users to malicious sites.
“It is tantamount to a hostile takeover of the user’s browser,” he said. “Once bad actors are able to collect information en masse, they can sell the information on the dark web or parlay that information for targeting activities that enable bad actors to commit identity theft or influence voter behavior.”