Android adware apps on Google Play amass two million installs

Android

Several malicious Google Play Android apps installed over 2 million times push intrusive ads to users while concealing their presence on the infected devices.

In their latest monthly mobile threat report, Doctor Web’s analysts identified trojans on Google Play associated with the ‘FakeApp,’ ‘Joker,’ and the ‘HiddenAds’ malware families.

Of particular interest are the following four adware (HiddenAds) apps disguised as games:

  • Super Skibydi Killer – 1,000,000 downloads
  • Agent Shooter – 500,000 downloads
  • Rainbow Stretch – 50,000 downloads
  • Rubber Punch 3D – 500,000 downloads
HiddenAds game app on Google Play
HiddenAds game app on Google Play (Dr. Web)

Dr. Web explains that once victims install these apps on their devices, they hide by replacing their icons with that of Google Chrome or using a transparent icon image to create empty space in the app drawer.

These apps run stealthily in the background upon launch, abusing the browser to launch ads and generate revenue for their operators.

The analysts also discovered several apps belonging to the FakeApp family, which direct users to investment scam sites.

In other cases, Dr. Web spotted game apps that loaded dubious online casino websites in violation of Google Play policies. 

Some notable examples of those are:

  • Eternal Maze (Yana Pospyelova) – 50,000 downloads
  • Jungle Jewels (Vaibhav Wable) – 10,000 downloads
  • Stellar Secrets (Pepperstocks) – 10,000 downloads
  • Fire Fruits (Sandr Sevill) – 10,000 downloads
  • Cowboy’s Frontier (Precipice Game Studios) – 10,000 downloads
  • Enchanted Elixir (Acomadyi) – 10,000 downloads
Fake app leading users to casino sites
Fake app taking users to casino sites (Dr. Web)

Finally, the antivirus team spotted two Joker family apps on Google Play, which subscribe users to premium paid services:

  • Love Emoji Messenger (Korsinka Vimoipan) – 50,000 downloads
  • Beauty Wallpaper HD (fm0989184) – 1,000 downloads

All the apps presented in this report have been removed from Google Play by the time of writing. 

Still, users who might

Read More ...

Fake ‘RedAlert’ rocket alert app for Israel installs Android spyware

RedAlert app

Israeli Android users are targeted by a malicious version of the ‘RedAlert – Rocket Alerts’ app that, while it offers the promised functionality, acts as spyware in the background.

RedAlert – Rocket Alerts is a legitimate open-source app used by Israeli citizens to receive notifications of incoming rockets targeting the country. The app is highly popular, with over a million downloads on Google Play.

Since Hamas terrorists launched their attack in South Israel last week, involving thousands of rockets, interest in the app has exploded as people sought timely warnings about incoming airstrikes in their area.

According to Cloudflare, hackers of unknown motivation and origin are leveraging the elevated interest in the app and the fear of the attacks to distribute a fake version that installs spyware.

This malicious version is being distributed from the website “redalerts[.]me,” which was created on October 12, 2023, and includes two buttons to download the app for the iOS and Android platforms. 

The iOS download redirects a user to the legitimate project’s page on the Apple App Store, but the Android button directly downloads an APK file to be installed on the device.

Fake site used for distributing spyware
Fake site used for distributing spyware (Cloudflare)

Spyware alert

The downloaded APK uses the legitimate code of the real RedAlert app, so it contains all the regular functionality and appears as a legitimate rocket alert tool.

However, Cloudflare found that the application requests additional permissions from the victims, including access to the user’s contacts, numbers, SMS content, list of installed software, call logs, phone IMEI, logged-in email and app accounts, and more.

Upon launch, the app initiates a background service that abuses these permissions to collect data, encrypt it with AES in CBC mode, and upload it to a hardcoded IP address.

Functions to gather data from infected device
Code to gather data from infected
Read More ...

43 Android apps in Google Play with 2.5M installs loaded ads when a phone screen was offSecurity Affairs

Experts found 43 Android apps in Google Play with 2.5 million installs that displayed advertisements while a phone’s screen was off.

Recently, researchers from McAfee’s Mobile Research Team discovered 43 Android apps in Google Play with 2.5 million installs that loaded advertisements while a phone’s screen was off.

The experts pointed out that this behavior violates Google Play Developer policy, in impacts the advertisers who pay for Ads that will be never displayed to the users, and also the users because it drains battery, consumes data, and exposes them to multiple risks, including information leaks and disruption of user profiling caused by Clicker behavior. 

The malicious apps include TV/DMB players, music downloaders, news apps, and calendar applications.

Google Play

The Ad Fraud campaign uncovered by McAfee targeted mainly Korean Android users.

According to the report the ad fraud library used in this campaign implements specific tricks to avoid detection and inspection, such as delaying the initiation of its fraudulent activities.

“It deliberately delays the initiation of its fraudulent activities, creating a latent period from the time of installation. What’s more, all the intricate configurations of this library can be remotely modified and pushed using Firebase Storage or Messaging service. These factors significantly add to the complexity of identifying and analyzing this fraudulent behavior.” reads the report. “Notably, the latent period typically spans several weeks, which makes it challenging to detect.”

The rogue apps start fetching and loading the ads when the device screen is turned off after the latent period. The users will never know that their devices are involved in this fraudulent scheme. The ad library registers device information by accessing the unique domain (ex: mppado.oooocooo.com) linked with the application. The app retrieves the specific advertisement URL from Firebase Storage and shows the ads.  

However, quickly turning on the

Read More ...

Android Apps With 1M Installs Steals 2FA Codes & Passwords

Check Point Research has recently published a study revealing the discovery of a previously unknown malware variant dubbed FluHorse.

The malware comprises multiple malicious Android apps that impersonate legitimate ones, and unfortunately, most of these fake apps have already been installed by over 1,000,000 users.

All these malicious applications are designed to steal victims’ credentials and 2FA codes, compromising their personal and sensitive information.

FluHorse targets various industries across the Eastern Asian market and is distributed through email.

These attacks can prove persistent, dangerous, and challenging to detect, as they often leverage email accounts belonging to high-profile entities during the initial stages.

Mimicked Apps

Attackers find applications that mimic trusted, reputable companies particularly enticing since they are likely to attract financially capable customers. 

The legitimacy of these copied applications makes them even more appealing to hackers.

  • ETC with 1,000,000+ Google Play installsVPBank
  • Neo with 1,000,000+ Google Play installs

According to the ETC APK developer’s website, the application generates approximately 16 million transactions daily, with over 6 million users relying on its services.

VPBank, a major private bank in Vietnam, recorded total assets surpassing 631 trillion dongs as of December 2022, cementing its position as one of the country’s biggest financial institutions.

While the enterprise encompasses a diverse range of financial services like:-

  • Spanning retail
  • Corporate
  • Consumer Finance
  • Wealth management operations

Also, experts have noted the presence of other malicious dating applications’ presence. However, they have not discovered any corresponding applications that the malware attempts to impersonate.

Targeted banks

Infection Chain

The malicious applications contain nothing beyond multiple window replicas that offer the victim input options.

While the scheme’s effectiveness remains undisputed, regardless of the attackers’ intentions, once the victim enters their sensitive data, the information is swiftly exfiltrated to the command and control (C&C) server.

Upon reaching this step, the

Read More ...

Android malware infiltrates 60 Google Play apps with 100M installs

Android

A new Android malware named ‘Goldoson’ has infiltrated Google Play through 60 legitimate apps that collectively have 100 million downloads.

The malicious malware component is part of a third-party library used by all sixty apps that the developers unknowingly added to their apps.

Some of the impacted apps are:

  • L.POINT with L.PAY – 10 million downloads
  • Swipe Brick Breaker – 10 million downloads
  • Money Manager Expense & Budget – 10 million downloads
  • GOM Player – 5 million downloads
  • LIVE Score, Real-Time Score – 5 million downloads
  • Pikicast – 5 million downloads
  • Compass 9: Smart Compass – 1 million downloads
  • GOM Audio – Music, Sync lyrics – 1 million downloads
  • LOTTE WORLD Magicpass – 1 million downloads
  • Bounce Brick Breaker – 1 million downloads
  • Infinite Slice – 1 million downloads
  • SomNote – Beautiful note app – 1 million downloads
  • Korea Subway Info: Metroid – 1 million downloads

According to McAfee’s research team, which discovered Goldoson, the malware can collect data on installed apps, WiFi and Bluetooth-connected devices, and the user’s GPS locations.

Additionally, it can perform ad fraud by clicking ads in the background without the user’s consent.

Stealing data from Android devices

When the user launches an app that contains Goldoson, the library registers the device and receives its configuration from a remote server whose domain is obfuscated.

The configuration contains parameters that set which data-stealing and ad-clicking functions Goldoson should run on the infected device and how often.

Goldoson configuration
Goldoson configuration (McAfee)

The data collection function is typically set to activate every two days, sending to the C2 server a list of installed apps, geographical location history, MAC address of devices connected over Bluetooth and WiFi, and more.

JSON request that exfiltrates data
JSON request that exfiltrates data (McAfee)

The level of data collection depends on the permissions granted to the infected app during

Read More ...

Android 14 slated to start preventing old app installs

Google would rather developers keep their work updated to target as new an Android version as possible; in fact, its latest Play Store guidelines now specify that apps aim for the OS’ second-newest major upgrade at minimum.

Android 13’s transition to 14 is now said to get even more stringent in these terms. Citing the developer Dylan Roussel, 9to5Google asserts that Google intends to leave older apps behind by amending the impending OS upgrade’s API requirement level in a way that better enforces compatibility with newer Android versions.

The new requirements may not be that extreme at first, only allowing new installs of apps that target Android 6.x (Marshmallow) or newer, although this criterion will progressively exclude targets until Android 12 is the oldest approved version.

Therefore, users who want or need to use apps that are no longer under development may no longer be able to download them through the Google Play Store soon enough. Side-loading is usually the go-to work-around in this situation; however, Android 14’s new API thresholds will also apparently apply to them soon.

Then again, according to Roussel, some other workarounds such as manual loading via command shell, may still be options under Android 14’s new app-install restrictions, reportedly intended to curb malware on the leading mobile OS.

Buy a Pixel 6a on Amazon

Read More ...