Adware-Ridden Apps in Google Play Infect 30 Million Android Users

malware google play adware

Google Play has removed up to 50 apps that once downloaded plagued systems with full-screen ads.

More than 50 malicious apps have been discovered on the Google Play app marketplace, peddling adware to millions of Android victims.

The 50 adware apps, which have been since removed, include fitness, photoshopping and gaming apps, and were installed a total of 30 million times, researchers at Avast said in a Tuesday analysis.

“The adware applications are linked together by the use of third-party Android libraries which bypass the background service restrictions present in newer Android versions,” researchers said in a post. “The applications in this article used the libraries to keep displaying more and more ads to the user, which is against Play store rules.”

Names of the apps that have been removed from Google Play include: Chess Battle, Connect the Dots, Easy Pics Cutter, Magic Gamepad – Stress Releaser & Boredom Blocker, Pro Photo Blur, Free Watermark Camera 2019, Magic Cut Out and more. A full list of screenshotted apps can be found here.

Adware is a tricky type of malware which once downloaded persistently displays full-screen ads – and in some cases tries to persuade users to install further adware-ridden apps. Researchers said so far they have found two versions of the adware, dubbed “TsSdk” – after a term found in the code of the first version of the adware.

google play app adware

The first version was installed 3.6 million times from Google Play apps that were simple game, fitness or photo-editing apps – such as one app called HiFit. These were mostly installed in India, Indonesia, Philippines, Pakistan, Bangladesh and Nepal, researchers said.

Interestingly, the apps peddling this first version of adware worked as advertised in their Google Play descriptions – however, they would add a malicious app shortcut and a “Game Center” to the victims’ home screen, both of which, once clicked on, would begin to show full-screen ads, mostly for various games.

“[The first version of adware] is not very well obfuscated and the adware SDK is easy to spot in the code,” researchers said. “It is also the less prevalent of the two versions. Some variants of [this version] also contain code that downloads further applications, prompting the user to install them.”

The second version of the adware was installed a whopping 28 million times, mostly via fitness and music apps distributed in the Philippines, India, Indonesia, Malaysia, Brazil, Nepal and Great Britain.

This second version of the adware is more advanced, as it carries out several checks before deploying full-screen ad functionality, and it’s also encrypted: “It seems like the developers of the adware put a little more effort into [the newer version], as it appears newer and its code is better protected,” researchers said. “The adware code is encrypted using the Tencent packer, which is rather hard to unpack by analysts, but is easily captured during dynamic analysis in”

In the video below, researchers show how the downloaded adware plays out.

In addition to Google Play, this newer adware version is also distributed in Facebook ads, researchers said. In the four hours after download, this newer version shows ads every 15 minutes.

Despite Google Play’s January claim that it has been ramping up its offensive against malicious apps, they have continued to plague the official app store for Android devices.

Just in this past January, Google Play removed two malicious apps that were infecting devices with a notorious banking malware bent on scooping up victim’s credentials. Also, last month an Android spyware dubbed MobSTSPY emerged to ride trojanized apps into victims’ phones, mainly via Google Play.

Also, early last year, Google removed 22 malicious adware apps ranging from flashlights to call recorders to WiFi signal boosters, which together were downloaded at least 7.5 million times from the Google Play marketplace.

Google did not respond by deadline to a request for statement from Threatpost.

Suggested articles