A big-scale ad fraud marketing campaign has resulted in additional than 60 million downloads of malicious apps from the Google Play Retailer, in accordance with a brand new evaluation by Bitdefender.
These apps show out-of-context adverts, with many making an attempt to steal person credentials and bank card knowledge through phishing attacks.
The marketing campaign options a minimum of 331 apps, all of which have capabilities to bypass Android safety restrictions.
These capabilities allow the apps to stay hidden on gadgets and activate with out person interplay, behaviors that shouldn’t be doable in Android 13.
The Bitdefender researchers mentioned the marketing campaign is both the work of 1 actor, or a number of criminals utilizing the identical packaging instrument bought on black on-line markets.
The marketing campaign stays energetic, with the newest malware revealed within the Google Play Retailer going dwell within the first week of March, 2025.
A lot of the functions first turned energetic on Google Play in Q3 2024.
Silviu Stahie, Safety Analyst at Bitdefender, informed Infosecurity that of the 331 apps noticed within the marketing campaign, 10 are nonetheless energetic and have even obtained updates.
“Google has eliminated most of the apps, and we will simply conclude that the attackers try to change their malware of their efforts to remain forward of the detection techniques,” he defined.
Stahie added that Google has been knowledgeable of the findings and is presently investigating the problems raised.
Apps Staying Hidden from Android Customers
The malicious apps mimic easy utility apps equivalent to QR scanners, expense monitoring, healthcare and wallpaper.
The investigated functions bypass Android safety restrictions and begin actions even when they aren’t operating within the foreground. Moreover, with out required permissions to take action, they spam the customers with steady, full display screen adverts and launch phishing makes an attempt.
The apps declare a contact content material supplier that’s routinely queried by the system after the set up has been accomplished and the applying entry level is loaded.
A content material supplier manages entry to a central repository of knowledge, coordinates entry to the information storage layer in your utility for quite a few totally different APIs and parts.
In latest apps used within the marketing campaign, the content material supplier has been referenced as a string in sources. Beforehand, it was immediately referenced within the app’s manifest.
The researchers mentioned this reveals the attackers’ adapting their strategies as their techniques are found and apps faraway from the shop.
The attackers had been noticed utilizing a number of approaches to maintain malicious apps hid from customers by hiding the icon, regardless of this habits now not being allowed within the Android working system (OS).
A few of the apps have been downloaded the Launcher Exercise disabled by default. Exercise Launcher is an app that enables Android customers to immediately run a few of the actions from put in apps.
After obtain, by abusing the startup mechanism supplied by the content material supplier, the apps use native code to allow the launcher, which is probably going carried out as an extra approach to evade detection.
After the “setup process” is full, the app disables its launchers and the icon disappears totally from the telephone launcher.
This habits shouldn’t be permitted in newer Android variations, which suggests the app builders discovered a vulnerability or are abusing the API.
One other bypass approach used is abusing the Android Leanback Launcher – a launcher particularly designed for Android TV that isn’t accessible on common Android telephones.
A few of the apps use an alias of the Leanback Launcher. If the alias is disabled by default and the Leanback Launcher shouldn’t be proven, the app can select whether or not or to not allow or disable the Launcher alias.
The researchers additionally noticed some apps attempt to disguise in Settings to keep away from person removing.
Apps Launch Adverts and Phishing Assaults With out Permission
Bitdefender noticed that the apps had been capable of present adverts on the Android gadgets with out being began, even when one other utility was operating within the foreground.
The mechanism of beginning the exercise is situated within the native library. The apps can run with out required permissions by abusing a number of API calls. An API name is a message despatched from a shopper utility to an API endpoint to provoke a particular motion or retrieve knowledge.
This permits the attackers to launch phishing assaults on the gadget display screen, requesting customers enter credentials from web sites equivalent to Fb and YouTube. In some instances, customers have been prompted to supply bank card info beneath varied pretexts.
The researchers famous that it’s also frequent for attackers to scare customers with threats of contaminated gadgets in an effort to influence them to put in third-party apps that might show to be harmful malware, equivalent to banking Trojans.
A lot of the apps use customized, devoted command and management (C2) domains. Other ways of encrypting communication have additionally been employed, utilizing of AES, Base64 and customized encryption.
Gadget info is extracted utilizing a dictionary-based construction, however the keys on this dictionary are polymorphed and distinctive to every utility. This fixed change makes detection and evaluation tougher.
Picture credit score: Tada Photos / Shutterstock.com
