Malware alert on phone showing Android apps and adware

Over 60,000 Android Apps Are Distributing Adware in an Aggressive Malware Campaign

An adware campaign involving over 60,000 Android apps has infected Android devices since October 2022. Bitdefender discovered the malicious campaign through its anomaly detection technology.

The threat actors involved in the campaign trick users into installing evasive adware to earn revenue by serving ads. The researchers warned that the activity could become a potent malware distribution campaign.

Adware campaign tricks users into sideloading cracked or “modded” Android apps

Although the malicious Android apps do not exist on Google Play Store or other official app distribution sites, hackers have crafted ingenious distribution methods.

They disguise the adware as premium Android apps with unlocked features, cracked games and utility programs such as PDF viewers, fake videos, tutorials, and security programs, ad-free YouTube and TikTok, and free VPNs and Netflix apps. Similarly, they impersonate official apps.

Bitdefender researchers found that the adware campaign relied on organic traffic from users searching modded or cracked apps.

“For example, when the user opens a website from a Google search of a “modded” app, they would be redirected to a random ad page. Sometimes, that page is a download page for malware disguised as a legit download for the mod the user was searching for,” noted the researchers.

Most victims were in the United States, South Korea, Brazil, Germany, the United Kingdom, and France.

Bitdefender suggested that the adware campaign was automated, given the large number of infected Android apps. The Romanian cybersecurity firm also predicted more infected Android apps in the wild.

“Cybercriminals have realized having malicious apps within the two popular app repositories, the Apple App Store and the Google Play Store, is too difficult to bypass,” said James McQuiggan, security awareness advocate at KnowBe4. “Hence, they work to create malicious programs and advertise them as games with unlocked features, VPNs, and other apps to entice a user to download the app to their smartphones or tablets.”

Threat actors employ ingenious evasion tactics to spread adware

Adware-infected apps employed clever evasion tactics, including hiding names and icons and appearing at the bottom of the installed apps list. Although Google removed the ability to hide Android app icons, the threat actors circumvented the limitation by failing to register an app launcher icon.

They also depend on the Android app installation flow, which prompts the user to open the app after successful installation. When the user clicks on the “Open” prompt, the malware displays the “application is unavailable in your region” message to trick them into believing the installation failed.

“People try to install these apps, but the installation apparently fails,” the researchers noted. “In reality, the adware is successfully installed, and it soon contacts the servers. The ads begin to show a few days later, so the users might not make the connection.”

Although they still appear on the app list, they do so at the bottom, making it difficult for users to spot and uninstall them.

The adware also encrypts the SQLite database contents using SLQCipher and stores its dex files in an encrypted database easily accessible with a simple query. The researchers suggested that the database access key was the certificate’s hashcode.

Android adware monitors user interaction and registers automated actions

The adware sleeps for two hours after successful installation before registering two actions (Android intents) to trigger on boot or on user interaction, for example, by unlocking the screen.

Similarly, the malware triggers an alarm every two hours to contact the server and register another alarm.

However, “the server can choose to initialize the adware phase at an unknown time interval,” the researchers stated.

When the user unlocks the phone, the malware receives an ad URL from the server and opens it in a web browser or a fullscreen WebView component.

According to the researchers, the ads load from various sources, including legitimate domains such as Google AdSense and Unity.

Adware operators could start distributing potent malware, including ransomware

Although the researchers found no evidence of viruses, Trojans, or ransomware distribution, they warned that threat actors could switch tactics and distribute potent malware.

“Upon analysis, the campaign is designed to aggressively push adware to Android devices with the purpose of driving revenue. However, the threat actors involved can easily switch tactics to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information or ransomware,” noted the researchers.

“These actions reinforce the need for users to exercise caution when downloading apps from third-party websites and only use official app stores with rigorous vetting processes,” McQuiggan added. “This discovery also highlights the importance of up-to-date mobile device security software, regularly updating their devices, and, more importantly, not installing applications from unknown sources, as this has a high probability of making the user a victim of malicious attacks which can lead to identity theft or unauthorized access to their data and other applications.”