Authored by Dexter Shin
McAfee’s Mobile Research Team has identified new malware on the Google Play Store. Most of them are disguising themselves as cleaner apps that delete junk files or help optimize their batteries for device management. However, this malware hides and continuously show advertisements to victims. In addition, they run malicious services automatically upon installation without executing the app.
HiddenAds functions and promotion
They exist on Google Play even though they have malicious activities, so the victim can search for the following apps to optimize their device.Figure 1. Malware on Google Play
Users may generally think installing the app without executing it is safe. But you may have to change your mind because of this malware. When you install this malware on your device, it is executed without interaction and executes a malicious service.
In addition, they try to hide themselves to prevent users from noticing and deleting apps. Change their icon to a Google Play icon that users are familiar with and change its name to ‘Google Play’ or ‘Setting.’Figure 2. The Malware hides itself by changing icons and names
Automatically executed services constantly display advertisements to victims in a variety of ways.Figure 3. A sudden display of advertisements
These services also induce users to run an app when they install, uninstall, or update apps on their devices.
Figure 4. A button to induce users to run app
To promote these apps to new users, the malware authors created advertising pages on Facebook. Because it is the link to Google Play distributed through legitimate social media, users will download it without a doubt.
Figure 5. Advertising pages on Facebook
How it works
This malware uses the Contact Provider. The Contact Provider is the source of data you see in the device’s contacts application, and you can also access its data in your own application and transfer data between the device and online services. For this, Google provides ContactsContract class. ContactsContract is the contract between the Contacts Provider and applications. In ContactsContract, there is a class called Directory. A Directory represents a contacts corpus and is implemented as a Content Provider with its unique authority. So, developers can use it if they want to implement a custom directory. The Contact Provider can recognize that the app is using a custom directory by checking special metadata in the manifest file.Figure 6. Content providers declared with special metadata in manifest
The important thing is the Contact Provider automatically interrogates newly installed or replaced packages. Thus, installing a package containing special metadata will always call the Contact Provider automatically.
The first activity defined in the application tag in the manifest file is executed as soon as you install it just by declaring the metadata. The first activity of this malware will create a permanent malicious service for displaying advertisements.Figure 7. Create a malicious service for displaying ads
In addition, the service process will generate immediately even if it is forced to kill.Figure 8. Malicious service process that continues to generate
Next, they change their icons and names using the <activity-alias> tag to hide.Figure 9. Using tags to change app icons and names
Users infected worldwide
It is confirmed that users have already installed these apps from 100K to 1M+. Considering that the malware works when it is installed, the installed number is reflected as the victim’s number. According to McAfee telemetry data, this malware and its variants affect a wide range of countries, including South Korea, Japan, and Brazil:Figure 10. Top affected countries include South Korea, Japan, and Brazil
This malware is auto-starting malware, so as soon as the users download it from Google Play, they are infected immediately. And it is still constantly developing variants that are published by different developer accounts. Therefore, it is not easy for users to notice this type of malware.
We already disclosed this threat to Google and all reported applications were removed from the Play Store. Also, McAfee Mobile Security detects this threat as Android/HiddenAds and protects you from this type of malware. For more information about McAfee Mobile Security, visit https://www.mcafeemobilesecurity.com
Indicators of Compromise
|App Name||Package Name||Downloads|
|Full Clean -Clean Cache||org.stemp.fll.clean||1M+|
The post New HiddenAds malware affects 1M+ users and hides on the Google Play Store appeared first on McAfee Blog.