New Android Adware on Google Play More Aggressive than Ever

Bitdefender has found 10 Google Play apps that have been packed full of aggressive adware to either subscribe users to premium-rated numbers using scareware messages or install additional apps that pack in even more ads.

The apps (including the “What is my ip?” app still available on Google Play) were designed to use a different name when installed to give users a hard time identifying and uninstalling them.

Once installed, they create a desktop shortcut named “System Manager”. If someone figures out that one of these apps is responsible for all the browser redirects and scareware messages, he’ll have a hard time finding and uninstalling the app in the Application Manager menu as it hides under the vague new name and not, for instance, “What is my ip?” Less tech-savvy users will be thrown off the scent and the app will remain installed and running indefinitely.

Probably one reason the apps circumvented Google’s vetting is because the URL used to redirect users doesn’t actually disseminate malicious .apk files. Its purpose is to redirect browsers – Android’s native browser, Chrome, Firefox, Facebook or even TinyBrowser – to a specially created URL that tosses users around from one ad-displaying website to another.

For each browser search, clicked URL, or Facebook-opened link, users are redirected to a webpage (http://www.mobilsitelerim.com/anasayfa) that displays a variety of geolocation-specific ads intended to either scare viewers into subscribing to premium-rated numbers – for an alleged security subscription – or trick them into installing more adware disguised as system or performance updates.

These ill-intended apps only require two permissions – Network Communication and System Tools – but can still cause massive headaches and potentially trick users into downloading device-clogging apps and adware.

Although they’re not malicious per se, by broadcasting sensitive user information to third parties, they resemble aggressive adware found on desktop PCs. The resulting barrage of pop-ups, redirects and ads irks users and seriously damages both the user experience and the performance of Android devices.

Aggressive adware has advanced at a dangerous clip in the past couple of years, moving from in-app advertisements and adware SDKs, to browser redirects and covertly running apps at start-up under seemingly legitimate names.

At the time of writing, some of the apps are still available on Google Play. We detect them as Android.Trojan.HiddenApp.E. We strongly encourage everyone to install a security solution that can detect malware and aggressive adware and keep them off of your Android device.

Samples md5:

f2d57300d5f991dbc965ac092d5f4301 – com.alm.alm
c1d7afa5c4eb0b8e3c0292eadf98771e – com.tr.dum.dum
16967bea7d3dcb08c12220925ef6f030 – com.est.hk
cb9d3ff0eea162dd602eefe7b08ded49 – com.est.esteban
dbc99ba3241f943cc9e58870f0e40b34 – com.brer.brer
51bc232de9af3f34a58d824da86a70bc – com.tr.ipp
996c4a1525729466d87edf85cbbdf5de – com.who.myip.detect
6f37bd3c286440e37103ee8b67aca7d6 – com.tf.fed
47b863625a8022399247fc92c4d5d178 – com.esc.escd
e1ccb51569635415e66af16cbdd94ddc – com.esc.escde

This article is based on the technical information provided courtesy of Bitdefender Researcher Alin Barbatei.