A set of 35 apps available on the official Android operating system store was used to spread malware that displayed ads on users’ phones. The software masqueraded as utilities, emoji keyboards, wallpapers, image packs and others, amassing together over two million installs from the Google Play Store.

Not only were legitimate advertisements displayed on websites and other applications replaced by advertisements under the control of criminals, but new spaces could be used for this purpose, where the content would originally have been. All revenue, of course, goes to the crooks’ pockets, while apps use stealth techniques to stay installed on smartphones and avoid detection and removal by the user.

The campaign discovered by security experts at Bitdefender appears to be a concerted effort, with dozens of apps using Android’s own WebView components to display ads. In all cases, too, the applications do not do what they promise, changing the icon itself as if it were the operating system settings to continue acting on the device in a hidden way.

In another method, the pest is able to hide its presence, while running in the background, by deleting the entry in the “recent apps” menu. Thus, the user should analyze the list of software more deeply, a type of behavior that does not match the main target of such scams, incoming users without much knowledge about technology and who may not even realize that there is something wrong going on. .

According to the researchers, the malware also has the ability to update remotely, being able to receive new forms of obfuscation and also features that expand the contamination of the cell phone. They would also be able to detect when the installation takes place on devices from brands such as Samsung, Oppo and Motorola, using icons specific to these manufacturers as a way to better hide between system apps.

Rogue apps hid themselves as system icons on Android, while displaying ads whose income went to the criminals’ pockets (Image: Reproduction/Bleeping Computer)

The apps below are the most popular in the campaign, contributing to a total of over 1.7 million downloads. As of this writing, only the first one remains online, while Google has already removed all the others from the Play Store:

GPS Location Finder (smart.ggps.lockakt);

Walls light – Wallpapers Pack (gb.packlivewalls.fournatewren);

Big Emoji – Keyboard 5.0 (gb.blindthirty.funkeyfour);

Grand Wallpapers – 3D Backdrops 2.0 (gb.convenientsoftfiftyreal.threeborder);

Engine Wallpapers (gb.helectronsoftforty.comlivefour);

Stock Wallpapers (gb.fiftysubstantiated.wallsfour);

EffectMania – Photo Editor 2.0 (gb.actualfifty.sevenelegantvideo);

Art Filter – Deep Photoeffect 2.0 (gb.crediblefifty.editconvincingeight);

Fast Emoji Keyboard APK (de.eightylamocenko.editioneights);

Create Sticker for Whatsapp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix);

Math Solver – Camera Helper 2.0 (gb.labcamerathirty.mathcamera);

Photopix Effects – Art Filter 2.0 (gb.mega.sixtyeffectcameravideo);

Led Theme – Colorful Keyboard 2.0 (gb.theme.twentythreetheme);

Animated Sticker Master 1.0 (am.asm.master);

Sleep Sounds 1.0 (com.voice.sleep.sounds);

Personality Charging Show 1.0 (com.charging.show);

Image Warp Camera.

How to protect yourself from dangerous apps on Android

Even with the withdrawal, those who downloaded the software before the removal remain at risk. The recommendation is to uninstall the apps, which as said, can be disguised as system icons, and perform a scan on the phone with an antivirus or security application.

Keeping apps like this is a good protection measure, as such solutions are capable of detecting common scams and potentially dangerous downloads. It is also important to keep the operating system always up to date, so that known loopholes are closed and cannot be abused by criminals.

Finally, the ideal is to always use the official store of the Android operating system and the manufacturer of your cell phone. Look for solutions from known and certified developers by performing a search by application name for reported issues or checking download totals or comments that may indicate danger.

Source: Bitdefender