More than 60,000 malicious Android apps targeted users worldwide for more than six months and contained adware masquerading as fake security software, game crackers, cheats, VPN software, Netflix streaming apps and utilities, researchers found.
BitDefender researchers discovered the malicious campaign, which they say is mainly targeting US Android users, and which they believe began last October.
In a post published this week, it was revealed that while the main purpose of the campaign was to push adware onto Android to increase revenue for malicious actors, they could easily switch tactics to redirect users to other types of malicious Software, such as banking Trojans to steal credentials and financial information or ransomware.
More than 60,000 different applications have been found to carry adware. They anticipate that there are many more applications distributing the same malware in the wild today.
The distribution of the malicious application is notable because it appears to be automated.
Malware appears when users search for their hidden app types, which is a current trend in the distribution of malicious apps. According to research, victims usually look for unlocked versions of paid apps, commonly known as cracked versions.
In fact, modding apps are such a hot commodity that websites are entirely dedicated to offering these types of packages. Typically, a modified application is a modified version of the original application with full functionality unlocked or changes made to the original programming.
When users open the site via a Google search for "modified" apps, they're redirected to a random ad page, often a malware download page masquerading as a legitimate download.
How Android Malware Works
Since API 30, Google has removed the ability to hide app icons on Android after registering the launcher. This only applies if the application developer registers the enabler first.
To circumvent this, the malicious apps in this campaign do not register any launchers and rely only on the user and default Android installation behavior to run for the first time.
When installing a downloaded app, the last screen in the process will be to "Open" the app; in the case of malware, that's all it takes to make sure it doesn't get deleted. On this screen, the app displays an "app not available" message to trick the user into thinking it was never installed.
This then triggers a unique detection strategy where the app is not yet installed and sleeps for two hours before registering two 'intents' that cause the app to start when.
The latter intent was also disabled for the first two days as a further anti-detection tactic.
Then, every two hours thereafter, the alarm is triggered, a request is made to the server, and another alarm is registered. The server may choose to initialize the adware stage at unknown intervals.
Once launched, the app connects to the attacker's server and retrieves an ad URL to be displayed in a mobile browser or as a full-screen WebView ad.
At this point, attackers can also leverage the aforementioned pivots to redirect users to other types of malware, such as banking Trojans or ransomware designed to steal credentials and financial information.
Malware: The Android Threat Everywhere
One security expert noted that the existence of the campaign shows how easily threat actors can continue to use Android as a platform for threat campaigns despite numerous measures taken to thwart mobile and Android malware.
It also highlights the need for continued vigilance and stronger security measures, such as app attestation, which requires app developers to provide answers to common security and compliance questions before publishing with apps to protect users from such threats. threaten.
Additionally, the campaign reminds users to exercise caution when downloading and installing apps, especially those from unofficial sources.
In its post, BitDefender listed a list of domains known to distribute the campaign's adware, some of which are not necessarily malware-related.
They also publish a list of indicators of compromise to help users detect if they have been infected by adware.
As always, a good step to protect users is to avoid downloading apps from sources other than the official app store.