This week, Symantec Risk Intelligence’s May Ying Tee and Martin Zhang revealed that that they had reported a bunch of 25 malicious Android purposes out there via the Google Play Retailer to Google. In complete, the purposes—which all share the same code construction used to evade detection throughout safety screening—had been downloaded greater than 2.1 million instances from the shop.
The apps, which might conceal themselves on the house display screen a while after set up and start displaying on-screen ads even when the purposes have been closed, have been pulled from the shop. However different purposes utilizing the identical methodology to evade Google’s safety screening of purposes might stay.
Revealed below 22 totally different developer accounts, all the apps had all been uploaded inside the final 5 months. The similarity in coding throughout the apps, nonetheless, means that the builders “may be part of the same organizational group, or at the very least are using the same source code base,” May and Zhang wrote.
Many of the purposes claimed to be both photograph utilities or fashion-related. In a single case, the app was a replica of one other, authentic “photo blur” utility printed below the identical developer account identify—with the authentic model having been featured as within the “top trending apps” class of Google Play’s High Apps charts. “We believe that the developer deliberately creates a malicious copy of the trending app in the hope that users will download the malicious version,” May and Zhang concluded.
At first, after set up, the malicious apps seem usually on the Android residence display screen. However when launched, they retrieve a distant configuration file that features the malicious code. Key phrases related to the malicious exercise, together with the code to cover the app’s icon, are encrypted within the configuration file, “which we believe is an effort on the malware authors’ part to avoid rule-based detection by antivirus scanners,” defined May and Zhang.
As soon as the configuration file is downloaded, the app extracts the settings and adjustments its habits accordingly. The app then hides its icon on the house display screen, after which begins displaying full-screen adverts, even when the app is closed. “Full-screen advertisements are displayed at random intervals with no app title registered in the advertisement window, so users have no way of knowing which app is responsible for the behavior,” the Symantec researchers famous.
Clearly, these malicious apps are supposed to easily generate promoting income for his or her builders. “Thanks to the apps’ ability to conceal their presence on the home screen, users can easily forget they downloaded them,” the researchers famous. And with no method to hyperlink the adverts to a selected app, the builders have a captive viewers and are free to maintain pushing adverts at their user-victims with out concern about their apps being uninstalled.