Security researchers observed full-screen ads displayed on more than two dozen apps on Google Play Store, with almost 2.1 million downloads, after they downloaded configuration files.
By the end of August, 25 apps in the Play Store were analyzed, and no hint of malicious behavior was observed. The apps would then download malware configuration files that make apps’ behavior suspicious.
Then the modules will be enabled by the bundled malware components. These modules hide the icons of apps and display ads on the affected mobile devices, which in return would let malware developers earn money.
Google removed all the 25 apps on September 2, after they were reported. Before removing them, it was made sure by the company that malicious functions were not coded into the APKs (Android Package Kits) that were submitted for review.
Threat Intelligence team of Symantec identified the issue saying, through the downloaded configuration files, the switch is controlled remotely that lets malware developers pass the security test of Google Play.
Symantec team also got to know that all the apps observed had a similar code structure and content of the app. It led them to believe that either apps were developed by the same organization or at least they were using the same source code.
To escape the detection of anti-malware solutions, the initialization vectors, and encryption keys were used by the threat actors to encode and encrypt keywords in the source code of malware.
First, the icons of apps are hidden, and then it begins to display full-screen ads even when the apps are closed.
As no app title is displayed on an advertisement window of affected devices, thus users cannot identify which app is behind it.
One of the developers was smart enough to publish two identical apps on the app store. One of the apps was clean, and the other was filled with malicious code. It was to confuse users and get malicious apps into their mobile devices.
The clean app was boosted and shown in the Top trending Apps category of the Play Store. It was expected that the users would search and by mistake, install the malicious app, and they will be getting ad-pushing malware on their devices.
Read next: Google Play Store contains adware disguised as VPN apps
By the end of August, 25 apps in the Play Store were analyzed, and no hint of malicious behavior was observed. The apps would then download malware configuration files that make apps’ behavior suspicious.
Then the modules will be enabled by the bundled malware components. These modules hide the icons of apps and display ads on the affected mobile devices, which in return would let malware developers earn money.
Google removed all the 25 apps on September 2, after they were reported. Before removing them, it was made sure by the company that malicious functions were not coded into the APKs (Android Package Kits) that were submitted for review.
Threat Intelligence team of Symantec identified the issue saying, through the downloaded configuration files, the switch is controlled remotely that lets malware developers pass the security test of Google Play.
Symantec team also got to know that all the apps observed had a similar code structure and content of the app. It led them to believe that either apps were developed by the same organization or at least they were using the same source code.
To escape the detection of anti-malware solutions, the initialization vectors, and encryption keys were used by the threat actors to encode and encrypt keywords in the source code of malware.
- Also read: Android Selfie Apps Record Audio: Wandera reported the apps which have 1.5 million downloads
First, the icons of apps are hidden, and then it begins to display full-screen ads even when the apps are closed.
As no app title is displayed on an advertisement window of affected devices, thus users cannot identify which app is behind it.
One of the developers was smart enough to publish two identical apps on the app store. One of the apps was clean, and the other was filled with malicious code. It was to confuse users and get malicious apps into their mobile devices.
The clean app was boosted and shown in the Top trending Apps category of the Play Store. It was expected that the users would search and by mistake, install the malicious app, and they will be getting ad-pushing malware on their devices.
Read next: Google Play Store contains adware disguised as VPN apps