ENGLISH

Android malware found inside apps downloaded 500,000 times

103

Cyber criminals have distributed malware to hundreds of thousands of Android users by successfully hiding it inside a series of apparently harmless apps.

The malware sneaked onto the Google Play store disguised as seven different apps – six QR readers and one ‘smart compass’ – and bypassed security checks by hiding their true intent with a combination of clever coding and delaying the initial burst of malicious activity.

Following installation, the malware waits for six hours before it begins work on its true purpose – serving up adware, flooding the user with full screen adverts, opening adverts on webpages and sending various notifications containing ad related links.

All of this activity is designed with the intent of generating click-based revenue for the attackers – even if the app itself isn’t actively running.

Uncovered by by researchers at SophosLabs, the malware dubbed Andr/HiddnAd-AJ, is thought to have infected at least a million users – and potentially many more – as one of the malicious apps was downloaded 500,000 times before being pulled by Google.

The general purpose nature of the apps allowed the attackers to pull in a large number of downloads. When the malicious app is first run, it calls home for configuration information on a server controlled by those behind the scheme.

Crucially, in order to hide the nefarious nature of the download, no malicious operations are run on an infected device for the first few hours after installation.

However, once a period of grace has passed, the configuration download from the server will run, providing a list of URLs, messages, icons and links, all for pushing ads onto the victim.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

In addition to the malicious activity being initially hidden away, the malware is helped by the code for the adware being embedded in what looks like a standard Android programming library within the files of the app.

But in addition to the standard programming subcomponents of the app, the attackers add a ‘graphics’ section, which looks innocent, but contains instructions of getting all the information and files required for running malicious adverts.

Upon discovering the malicous apps, Sophos informed Google, which has now removed the apps from the Play Store.

Nonetheless, despite Google’s failure to spot the malicious nature of these apps, Sophos recommends Android users stick to downloading apps from the Play Store – because it’s still safer than third-party Android app stores.

The official nature of the Play Store also means that if malicious apps slip through the cracks, users can help alert Google about the threat.

“If you find a dodgy app in the Play Store, it is worthwhile reporting it, on the computer security principle that an injury to one is an injury to all,” Paul Ducklin, senior technologist at Sophos told ZDNet.

“After all, if your report helps to convince Google to remove the offending app, you just played a positive part in preventing anyone else from downloading it in future”.

ZDNet has contacted Google for comment, but has yet to receive a response at the time of writing. However, in a recent report, the company said it detected 99 percent of apps with malicious content before anyone could install them and the vast majority of its two billion Android users safe from malware.

Nonetheless, with a user base that large, even a small percentage of malicious apps slipping through the net can result in millions of users inadvertently becoming victims.

READ MORE ON CYBER CRIME

Can Google win its battle with Android malware?This is the easiest way to prevent malware on your Android device[CNET]Over 500 Android apps with a combined 100 million downloads found to secretly contain spywareAndroid malware bypassed Google Play store security, could have infected 4.2 million devices [TechRepublic]Fake WhatsApp app fooled million Android users on Google Play: Did you fall for it?

Related Topics: