Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Researchers uncover 60,000 malware-compromised Android apps in the wild

A recently rolled-out application anomaly detection feature in a mobile security suite has uncovered a global adware campaign operating at a vast scale.

user icon David Hollingworth
Wed, 07 Jun 2023
Researchers uncover 60,000 malware-compromised Android apps in the wild
expand image

Bitdefender added the functionality to its Bitdefender Mobile Security last month, and with data from that, the company has been able to take a closer look at the campaign.

At the moment, the campaign is aimed at spreading adware on Android devices, but Bitdefender’s researchers believe it could just as easily spread more dangerous malware, such as credential stealers capable of nabbing bank details. It’s been live since October 2022 at least and comprises over 60,000 unique compromised applications, although there are likely many more as yet undiscovered.

Of the affected devices, 55.27 per cent are in the US, with South Korea and Brazil following far behind at 9.8 per cent and 5.96 per cent, respectively. France, Kazakhstan, Romania, and Italy follow, the latter with 1.93 per cent of infections.

============
============

If Australia makes the cut at all — which is possible — it is grouped in with the rest of the world at 12.9 per cent.

The spread of the campaign is based on offering cracked or altered versions of apps not otherwise available on the official App Store. This includes cracked or unlocked games, Netflix, various fake videos and tutorials, and ad-free versions of apps such as TikTok and YouTube.

What makes this campaign particularly tricky is how it gets around Google’s recent removal of the ability to hide an app icon once a launcher is installed and registered.

“However, this only applies if you register a launcher in the first place,” Bitdefender’s researchers said in a blog post. “To circumvent this, the application does not register any launchers and relies on the user, and the default Android install behaviour, to run for the first time. When installing a downloaded application, the last screen in the procedure will be an ‘Open’ app.”

The app then goes to make sure that the user thinks the app needs to be uninstalled by showing an error screen that reads: “Error – Application is unavailable in your region. Tap OK to uninstall”, along with an OK button.

But this does install the app at all, and thanks to running without a launcher, the app now has an invisible icon and is at the very bottom of the device’s app list. An invisible UTF-8 character completes the subterfuge. All that shows on the app list is a slight icon shadow and a file size, which is easy to miss.

The installed adware then sleeps for two hours and then waits for the next time the device is unlocked or turned on. From that point, the adware pings away at a server every two hours, waiting for an ad to be deployed.

The adware then displays the ad in the device’s browser in full screen. The adware can also serve videos, open new tabs, and serve links.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.