Over 60,000 android apps secretly installed adware for months, report claims

A recent investigation by Romanian cybersecurity firm Bitdefender has revealed that over 60,000 Android apps posing as legitimate applications, have been silently installing adware on mobile devices for the past six months without user knowledge.

Bitdefender's mobile security software, equipped with an anomaly detection feature, successfully identified the malicious apps last month. The cybersecurity firm has already discovered 60,000 unique samples of adware-infected apps and suspects that many more are circulating undetected.

The campaign is believed to have originated in October 2022 and employs various disguises, such as fake security software, game cracks, cheats, VPN software, Netflix and utility apps. These malicious apps are not hosted on Google Play but are instead distributed via third-party websites found in Google Search results, where users can download APKs (Android packages) to manually install apps.

Visiting these sites will lead to redirects to ad-filled websites or prompts to download the desired app. The download sites are purposefully designed to distribute adware-infected Android apps. Once installed, the apps do not configure themselves to run automatically but instead rely on the standard Android app installation flow, where users are prompted to manually open the app.

Detecting these malicious apps is challenging due to their lack of an icon and the presence of a UTF-8 character in the app's label. This hidden nature allows the app to remain dormant unless the user initiates it, resulting in potential invisibility.

Once launched, the app displays an error message claiming that the "application is unavailable in your region" and prompts the user to uninstall it. However, in reality, the app remains installed and becomes active after a two-hour delay or when specific triggers, such as device booting or unlocking, occur. The app then contacts the attackers' servers to fetch advertisement URLs, which are displayed in the mobile browser or as full-screen WebView ads.

Currently, the adware campaign is primarily focused on displaying advertisements, but researchers warn that threat actors could easily replace the adware URLs with more malicious websites, such as those hosting banking Trojans or ransomware.

Android devices are particularly vulnerable to malware due to the ability to install applications from outside the official Google Play Store, where apps undergo thorough inspection for malware. However, threat actors continue to evade detection, even on Google Play, leading to the broad distribution of malicious apps.

Recently, cybersecurity researchers from Dr. Web and CloudSEK discovered a spyware software development kit (SDK) installed on over 400 million Android devices from apps available on Google Play.