Researchers have discovered a raft of malicious gaming apps on Google Play that come loaded with adware, signaling that the tech giant continues to struggle with keeping bad apps off its online marketplace.
Twenty-one gaming ads discovered on Google packed with adware from the HiddenAds family were downloaded about 8 million times so far, according to new research Avast, which cited statistics from SensorTower on the number of downloads (the complete list of bogus apps can be found here).
The apps masquerade as a fun or useful application but actually “exist to serve up intrusive ads outside the app,” according to a blog posted this week by Emma McGowan, a senior writer at Avast. In the instances observed by the team, the apps entice users by promising them the ability to virtually “let your car fly across the road, trees, hills,” to shoot criminals from a helicopter, or virtually iron their clothes she wrote.
“The apps also have tactics to avoid detection by users, hiding their icons so they can’t be deleted, and hiding behind relevant-looking advertisements, which makes them hard to identify, McGowan wrote.
This tactic is similar to an adware campaign researchers discovered in July also associated with malicious photo apps on Google Play. The apps would flood Android devices with random ads instead of functioning as advertised. Like the most recent adware campaign, the apps also eluded detection by making their icons disappear from the device home screen soon after they are downloaded.
Users of the apps in the latest campaign reported finding them in ads promoting the games on YouTube, showing an increasing tendency of adware developers to use social-media channels to distribute their malicious wares, “like regular marketers would,” Jakub Vávra, threat analyst at Avast, said in a statement.
Indeed, the adware found on Google Play is one in a series of recent discoveries of this type of malware on social networks. In September, researchers observed adware spread via TikTok, he said.
“The popularity of these social networks make them an attractive advertising platform, also for cybercriminals, to target a younger audience,” Vavra said.
Google historically has struggled to keep bad apps and malware off its online store for Android apps, and has made a concerted effort over the last several years to bolster the security of the store.
Among these endeavors include stronger vetting mechanisms—which resulted in more than 790,000 apps that violate Google’s policies for app submission stopped last year before they were ever published–as well as an alliance with three endpoint security firms to help stop malicious apps before they get to Google Play.
Most recently in September, Google declared a war with so-called stalkerware on its Android app marketplace, announcing a plan to prohibit any apps that can be used to allow someone to surreptitiously track the location or online activity of another person as of Oct. 1.
Despite all of these efforts, Google continues to grapple with Android app security on the marketplace. In January, Google said it removed 17,000 Android apps to date from the Play store that have been conduits for the Joker spyware (a.k.a. Bread). However, in early September, the company deleted six apps from its Google Play marketplace that were infecting users with Joker and had accounted for nearly 200,000 installs.
Later in the month, researchers revealed that they found more than 300 apps on the Google Play Store breaking basic cryptography code rules, demonstrating how easy it is even for popular and seemingly legitimate apps on the marketplace to create security risks.