85 Android Adware Apps Downloaded 9 Million Times

Researchers have found another batch of malicious Android applications on Google Play that spam users with annoying full-screen ads and make using their phones difficult.

Trend Micro calls the adware AndroidOS_HidenAd and found it inside 85 apps that masqueraded as game, TV and remote control apps, the most popular of which had been installed more than 5 million times. The apps had more than 9 million downloads combined.

The applications were uploaded on Google Play by different developers but exhibited similar behavior and shared the same code. This shows the extent to which attackers will go to fool the app store’s scanners.

When an app containing AndroidOS_HidenAd is first launched, it will immediately display a full-screen ad. After the user closes that ad, the app will show a Start button, which, when clicked, will display another ad. When that one is also closed, the app will display multiple buttons, each of which trigger full-screen ads.

After the initial ads, the app will appear to be loading or buffering content and will then disappear from the screen and will hide its icon, in an attempt to make it more difficult for users to locate it and remove it. It will continue to run in the background and display full-screen ads every 15 minutes to 30 minutes.

Some apps also record and then monitor the user’s screen unlock actions and will trigger ads every time the screen gets unlocked.

“While the fake apps can be removed manually via the phone’s app uninstall feature, it can be difficult to get there when full-screen ads show up every 15 or 30 minutes or each time a user unlocks the device’s screen,” the Trend Micro researchers said in their report. “As more and more people become dependent on mobile devices, the need to keep mobile devices safe from a growing number of mobile threats—such as fake apps laced with adware—is all the more pertinent.”

Finding malware or adware apps on Google Play is not a frequent occurrence, but is not uncommon, either. That’s why users should also pay attention to an app’s ratings and reviews before installing it. Popularity is not always a reliable indicator, such as with the app that had 5 million installations, but most of the adware apps—including that one—had 1-star reviews and complaints from users.

Google uses automated scans and executes new apps inside an Android emulator to discover malware or abusive behavior. However, attackers are persistent and find ways to slip through. Adware apps have also been found in the iOS app store and Apple has a much more thorough app review process, which includes code analysis.

Adobe Updates Flash, Connect and Digital Editions

In a rare occurrence, Adobe released an update for Flash Player that doesn’t include fixes for security vulnerabilities. However, the company did release patches for important flaws in Adobe Connect and Adobe Digital Editions.

“These updates address feature and performance bugs, and do not include security fixes,” Adobe said in an advisory for the newly released Flash Player 32.0.0.114 version for Windows, Mac and Linux. Still, for some reason, the advisory was tagged as a “security bulletin.”

The update for Adobe Connect, Adobe’s web conferencing software, fixes an important vulnerability, CVE-2018-19718, that can expose session tokens and reveal privileges granted to a session. Users are advised to upgrade to version 10.1.

Adobe Digital Editions, a popular ebook reading application for multiple platforms, was updated to version 4.5.10 to fix an out-of-bounds read bug tracked as CVE-2018-12817 that can lead to information disclosure.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin