Trend Micro: Cybercrime launched a new adware mobile campaign on Android, concealed in 182 free-to-download game and camera apps. Majority of them were on Google Play Store, and collectively had millions of downloads
Cybercrime is spreading a huge mobile adware campaign, using 182 free-to-download game and camera apps for Android. It has been discovered by Trend Micro cyber security experts. The researchers observed that the majority of the malicious apps were found on the Google Play Store (111) and collectively had millions of downloads. The rest were found on third-party stores that host generic apps, including 9 Apps and PP Assistant. The adware is capable of hiding the malicious app’s icon, showing full-screen ads that can’t be immediately closed or exited, and evading sandbox detection. The campaign, according to the analysis, has been active since 2018 and the apps are from the same adware campaign despite their having been submitted by different developers. The apps had already been removed from the Google Play platform, but before takedown, they had a total download of 9,349,000.
The cyber security experts: The cyber criminals are actively evolving and strengthening their campaign
According to the cyber security experts, because the malicious apps share code structures, they typically exhibited the same behavior. Upon download, a malicious app associated with this Android adware campaign will run as intended for a specific time, after which, the icon will be hidden from the user, making it difficult to locate and uninstall it. The adware will display full-screen ads whenever a user unlocks an infected phone’s screen with the filter “android.intent.action.USER_PRESENT,” which is configured in the variant’s code. This also provides a max show count and the interval time in which ads appear on a user’s phone. Moreover, the cyber criminals are actively evolving and strengthening their campaign. In more recent versions, it takes 24 hours before a scheduled task is executed on the infected device. This lengthy delay time allows the adware to evade regular sandbox detection techniques, which monitor endpoints over a defined timeframe.