A campaign targeting mainly US users disguised malware in fake security software, game cracks, cheats, free Netflix, and other "modded" apps.

Image shows a green robot that has become known as the icon for Google's Android mobile OS against a blurred background
Source: Marc Bruxelle RF via Alamy Stock Photo

More than 60,000 malicious Android apps targeted global users worldwide for more than six months with adware disguised as fake security software, game cracks, cheats, VPN software, the Netflix streaming app, and utility apps on third-party sites, researchers have found.

BitDefender researchers discovered the malicious campaign, which they said mainly targets US Android users and which they believe began in October of last year.

Bitdefender revealed in a post published this week that while the campaign predominantly aims to push adware to Androids to drive revenue for malicious actors, they "can easily switch tactics to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information or ransomware."

The researchers discovered 60,000 different apps carrying the adware, according to the post. Moreover, the researchers expect there currently are more apps distributing the same malware in the wild, they said.

The distribution of the malicious apps is notable in that it appears automated and "organic." The malware appears when users search for the types of apps behind which it was hiding — a current trend in the distribution of malicious apps, the researchers said. Usually, the victims are looking for unlocked versions of paid apps, according to the research.

"In fact, modded apps are a hot commodity, with websites dedicated entirely to offering these types of packages," the researchers explained in the post. "Usually, modded apps are modified original applications with their full functionality unlocked or featuring changes to the initial programming."

When users open a website from a Google search of a "modded" app, they then would be redirected to a random ad page that often is a download page for malware disguised as a legitimate download, the researchers said.

How the Android Malware Works

Since API 30, Google has removed the ability to hide the app icon on Android once a launcher is registered, the researchers explained. However, this only applies if a developer of the app registers a launcher in the first place, they said.

To circumvent this, the malicious apps in the campaign do not register any launchers and rely solely on the user and the default Android install behavior to run for the first time, the researchers explained. When installing a downloaded application, the last screen in the procedure will be an "Open" app; in the case of the malware, this is all it needs to ensure that it will not be removed, the researchers said. On this screen, the app shows an "application is unavailable" message to trick the user into thinking it was never installed, according to the researchers.

This then sets off a unique detection tactic, they explained in the post. The app at this point is not installed and "sleeps for two hours before registering two 'intents' that cause the app to launch when the device is booted or unlocked," the researchers wrote in the post. The latter intent also is disabled for the first two days, a further anti-detection tactic, they said.

"Then, every two hours after that, the alarm is triggered, a request to the server is made, and another alarm is registered," the researchers wrote. "The server can choose to initialize the adware phase at an unknown time interval."

Upon launch, the app reaches out to the attackers' servers and retrieves ad URLs to be displayed in the mobile browser or as a full-screen WebView ad. At this point, attackers also can make the aforementioned pivot to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information, or ransomware, the researchers added.

Malware: A Pervasive Android Threat

The existence of the campaign demonstrates that despite the myriad steps taken to thwart mobile and Android malware in particular, it remains fairly easy for threat actors to continue to use Android as a platform for threat activity, notes one security expert.

It also highlights the need for continued vigilance and even more robust security measures — such as app attestation, which requires app developers to provide answers to common security and compliance questions that are then published with the app — to protect users from such threats, says Ted Miracco, CEO of mobile security firm Approov.

Moreover, the campaign "serves as a reminder for users to exercise caution when downloading and installing applications, particularly from unofficial sources," he says.

BitDefender included in its post a list of domains known to be distributing the campaign's adware, some of which are not necessarily malware-related, the researchers said. They also posted a list of indicators of compromise to help users detect if they've been infected by the adware.

As always, a good step for user protection is to avoid downloading apps from sources other than the official app stores.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights