Security company Avast discovered no less than 26 apps on the Google Play Store that included adware forcing ads on compromised systems, using special behavior to make it harder for users to remove the infection.
The apps were based on the Cordova development framework and used various developer names, most likely in an attempt to avoid having all of them removed at once by Google. They were published in a wide variety of categories, like cryptocurrency related, currency converters, weather, and fitness. Many recorded several thousand downloads.
Once downloaded on an Android device and launched for the first time, the apps removed their icons from the home screen, probably to make it more difficult for users to remove them, but also to make it harder to figure out which app was pushing the malicious behavior.
Ads on the lock screen
They started showing ads, even on the home and lock screens, while also collecting information like unique identifier, app package name, and Android OS version. All information was sent to a remote server, and in some instances, Avast says that apps also waited for links from a second remote server, most likely to download additional apps.
“Based on the information the apps send back to the server, we don’t think this information was being used to spy on the user, but rather to confirm the phone’s had the right configuration to send payloads to or to make sure ads could be displayed properly,” Avast says.
Many of the apps that were downloaded following the adware infection have relevant reviews posted by users whose devices were compromised and were forced to install additional payloads. Additionally, there were also 5-star reviews on some occasions, but Avast says these reviews were most likely fake.
Google has already removed all these apps from the Google Play Store, and users who want to uninstall these apps need to do it from the Store since the icon on the home screen was already gone.
EmoticonEmoticon