Another day, and here comes another report of nasty Android apps flooding Play Store. Once again, numerous malicious Android apps surfaced online that targeted users with ads.
Android Apps Showed Intrusive Ads
Researchers from the technology firm WhiteOps have come up with a detailed report regarding malicious Android apps. These apps surfaced on Google Play Store while appearing legit, but they actually showed intrusive ads.
Briefly, the researchers caught as much as 38 different Android apps committing ad fraud. These apps included beauty camera and photo editing applications as well. In all, the apps boasted a whopping 20 million downloads altogether.
Describing the types of frauds committed by the apps, the researchers listed three different types.
- Out-of-Context (OOC) Ads: That is, showed ads to the users sourced from various ad networks.
- Out-of-Context Navigation: Redirecting users to various links as instructed by the C&C.
- App Icon Removal: Removing the app icon from the users’ device, following installation, thus going stealth.
While this isn’t new for such apps to target Google Play Store, what’s different with this campaign is the hiding of malicious codes. This action seemed an attempt to ensure persistent existence on the Play Store whilst ditching the Play Store’s security.
To do so, the attackers included extra Dalvik Executables (DEX) files in the APKs in an obfuscated manner to ditch detection. As stated by the researchers,
Those extra DEX files are unpacked and loaded in memory by the packer software the first time the app is opened. Standard APK analysis tools like APKTool, JEB, jadx, or Android Studio can’t see the contents of those DEX files when looking at the APK file, making it harder for researchers—and presumably the Play Store—to inspect the app code.
The threat actors exploited Arabic and Chinese characters for this obfuscation to create confusion about the origin of the authors.
Google Removed The Apps
While the researchers noticed the threat actors transforming their apps to legit versions, they couldn’t figure out the exact reason. However, a possible reason behind this activity may be that the attackers strive to evade detection and plan to reinstall the malicious code later.
Anyhow, White Ops, following this discovery, reached out to Google, following which, Google removed all apps from the Play Store.
Let us know your thoughts in the comments.