While currently used to push adware, the campaign can redirect users to other types of malware, such as banking trojans to steal credentials and financial information or ransomware.




Android mobile phone code

Google / Tero Vesalainen / Getty Images

Bitdefender has uncovered a hidden malware campaign living undetected on mobile devices worldwide for more than six months. The campaign is designed to push adware to Android devices with the purpose of driving revenue. 

“However, the threat actors involved can easily switch tactics to redirect users to other types of malware, such as banking trojans to steal credentials and financial information or ransomware,” Bitdefender said in a blog.

To date, the cybersecurity firm has discovered 60,000 unique Android apps infected with the adware and suspects there is much more in the wild. The malware has been live since at least October 2022. It targets users in the US, South Korea, Brazil, Germany, the UK, and France.

“Because of the high number of unique samples discovered, the operation is most likely fully automated,” Bitdefender said.

Distribution of the malware

The threat actor uses third-party apps to distribute the malware as it is not in any official stores.

“The malware’s operators, however, still need to persuade users to download and install third-party apps, so they’ve disguised their threat on highly sought-after items you can’t find in official stores, even if they were legitimate,” Bitdefender said.

In certain cases, the apps simply mimicked the real ones published in the Play Store. Some of the types of apps mimicked by the malware include game cracks, games with unlocked features, free VPN, fake videos, Netflix, fake tutorials, YouTube/TikTok without ads, cracked utility programs: weather, pdf viewers, etc, and fake security programs. 

“The distribution is organic, as the malware appears when searching for these kinds of apps, mods, cracks, etc,” Bitdefender said, adding that mod apps are a hot commodity, with websites dedicated entirely to offering these types of packages. 

Usually, mod apps are modified original applications with their full functionality unlocked or featuring changes to the initial programming. When a user opens a website from a Google search of a mod app, they would be redirected to a random ad page. Sometimes, that page is a download page for malware disguised as a legit download for the mod the user was searching for. 

Evading detection for six months

The apps with the malware act like normal Android app for installation and prompts the user to click on “Open”, once installed. The app does not configure itself to run automatically, as that may require additional privileges. 

Google removed the ability to hide the app icon on Android once a launcher is registered. However, this only applies if the launcher is registered. “To circumvent this, the application does not register any launchers and relies on the user, and the default Android install behavior, to run for the first time,” Bitdefender said. 

Once installed, the malware shows a message stating “application is unavailable” to trick the user into thinking the malware was never installed. 

“The fact that it has no icon in the launcher and a UTF-8 character in the label makes it harder to spot and uninstall. It will always be at the end of the list, which means the user is less likely to find it,” Bitdefender said in the blog. 

Once launched, the app will communicate with the attackers’ servers and retrieve advertisement URLs to be displayed in the mobile browser or as a full-screen WebView ad.

Android devices are increasingly targeted by malware 

Android devices are increasingly becoming an attractive target for threat actors. Last month, 

an Android software module with spyware functionality called SpinOk was discovered by cybersecurity firm Doctor Web.

The malware collects information on files stored on devices and can transfer them to malicious actors. It can also substitute and upload clipboard contents to a remote server. Android apps containing SpinOk module with spyware features were installed over 421,000,000 times.

Earlier this week, another 101 apps compromised with SpinOK Android malware distributed as an advertisement SDK were discovered by CloudSek. Out of these, 43 apps are still active on the Play Store, including some with over 5 million downloads. In total, it is estimated 30 million users to be affected by these additional apps. 

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld.

Copyright © 2023 IDG Communications, Inc.