Suspicious group of adware apps removed from the Google Play Store

We recently came across a number of different types of apps on Google Play, ranging from cryptocurrency related apps to lifestyle apps like weather, fitness and recipe apps, that turned out to be adware. They all aggressively pushed ads, redirected users to other apps on the Play Store, collected basic information about users’ devices and were capable of receiving code to execute on the infected device.

About 26 apps, which were based on the app development framework, Cordova, included some of the basic functionalities they advertised on their Google Play profiles. However, the apps could not be properly used, because they redirected users to further apps on Google Play, aggressively displayed ads, even when the app wasn’t actively used, and abruptly crashed. We reported the apps to Google, which has removed them from the Play Store.

The apps were all published under different developer profiles, perhaps to avoid having all the apps removed at once by Google, over the course of half a year and were downloaded thousands of times. The 12 most popular apps were downloaded more than 10,000 times. A couple of the apps were crypto-related apps that claimed to rate currency conversion rates for coins and monitor cryptocurrency exchange rates, while the lifestyle apps consisted of weather, fitness and recipe apps.

After the apps were downloaded and launched for the first time, the app icons would hide from the home screen. The only way users could then access the app was through the Apps tab in the phone’s settings or through the Google Play Store. This was most likely done to prevent users from deleting the app by dragging the app’s widget to the trash bin. To uninstall the apps, the user had to uninstall them by going to the individual apps’ Google Play profile.

The apps would continue running in the background, even though they didn’t need to do so in order to function properly. The apps would push ads even when the app wasn’t being used, displaying ads over other apps, the home screen, and even the lock screen. Additionally, the apps would send back basic information like unique identifier of the phone, the app’s package name, and which system the phone was running to a remote server. Based on the information the apps send back to the server, we don’t think this information was being used to spy on the user, but rather to confirm the phone’s had the right configuration to send payloads to, or to make sure ads could be displayed properly.

We suspect the developer behind these apps hid the apps’ icons from users in order to continuously collect information without them noticing and so users wouldn’t realize which app was pushing the ads.

The apps were also capable of receiving a link from a second remote server, from which they could download code. However, either the server was not active yet, or the server waits a while until it starts sending the information back to the apps, to avoid antivirus detection. The method that calls the class loader itself is obfuscated, so that it’s not obvious that code will be loaded, but our static analysis noticed the apps included the DexClassLoader class, which lets us know the APK might attempt to load code on runtime. The developer obfuscated the usage of these classes and methods, which lead us to believe they were trying to hide the functionality from static analysis conducted by antivirus apps. Obfuscating the usage of the class loader is very shady behavior, if the developer wasn’t planning on loading anything malicious, why would they hide the fact that they might be loading code?

The reviews users left reveal that the apps were downloaded because other apps claimed they would give users free coins for games if they downloaded the apps. The apps, yet again, disappointed, as no one received a reward. There were some reviews mixed in with the negative ones that rated the app with 5 stars and reviewed the apps as being “great”, but we suspect these were fake reviews.

I’m using this to get free robux, but this app is honestly garbage

DOES NOT WORK!!! Doesn’t load data and after exiting out, I cannot find the app anywhere on my phone and when I go on to Google Play Store, it doesn’t give me the option to open, only to uninstall, so I’ll do that and never try this app again! Btw, thanks for not rewarding me from trying this worthless tapjoy offer!

Some comments also mentioned that the apps drained battery power and data, which is probably because the apps repeatedly tried to connect to a remote server for instructions.

How to avoid adware

• First and foremost, be proactive and download an antivirus software on their mobile device. Antivirus will catch and block malware and adware before it can infect a device.
• Stick to well-known and trusted developers.
• Read through app reviews. If the majority of reviews are negative – don’t download the app!
• Read the permissions apps are requesting. If an app you are downloading requests permissions that don’t make sense and don’t seem necessary for the app to function properly, you should think twice before downloading it.