BACK

Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users

Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play UsersBy Ecular Xu Adware is bothersome, disruptive, and have been around for a long time, but they’re still around. In fact, we recently discovered an active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control …

  • 08 Jan 2019
6 min read
Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users
By Ecular Xu Adware is bothersome, disruptive, and have been around for a long time, but they’re still around. In fact, we recently discovered an active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store. This adware is capable of displaying full-screen ads, hiding itself, monitoring a device’s screen unlocking functionality, and running in the mobile device’s background. The 85 fake apps, which have been downloaded a total of 9 million times around the world. After verifying our report, Google swiftly suspended the fake apps from the Play store. Figure 1. A screen capture of some of the adware-laden fake apps on Google Play The “Easy Universal TV Remote,” which claims to allow users to use their smartphones to control their TV, is the most downloaded among the 85 adware-loaded apps. Figure 2. A screen capture of the Easy Universal TV Remote app and its information The fake app, which already has been downloaded more than 5 million times, has received multiple complaints on the comment section pertaining to its behaviors. Figure 3. A screen capture of some of the negative reviews left by Easy Universal TV Remote users complaining about the app disappearing, not functioning as advertised, and ad pop-ups Behavior Analysis We tested each of the fake apps related to the adware family and discovered that though they come from different makers and have different APK cert public keys, they exhibit similar behaviors and share the same code. After the adware is downloaded and launched on a mobile device, a full-screen ad initially pops up. Figure 4. Screenshots of the full-screen ads that pop up on an adware-infected mobile device Upon closing the first ad, call to action buttons such as “start,” “open app,” or “next,” as well as a banner ad will appear on the mobile device’s screen. Tapping on the call to action button brings up another full-screen ad. Figure 5. Screenshots of the call to action buttons appearing on the device’s screen Figure 6. A screen capture of a full-screen ad that pops up after clicking the call to action button on one of the fake apps After the user exits the full-screen ad, more buttons that provide app-related options for users appear on the screen. It also prompts the user to give the app a five-star rating on Google Play. If the user clicks on any of the buttons, a full-screen ad will pop up again. Figure 7. Screenshots of app-related options a user can click on; all of them bring up more pop-up ads Afterwards, the app informs the user that it is loading or buffering. However, after a few seconds, the app disappears from the user’s screen and hides its icon on the device. The fake app still runs in a device’s background after hiding itself. Though hidden, the adware is configured to
Source: TrendLabs Security Intelligence BlogPublished on 2019-01-08
Blog Details
  • 08 Jan 2019

Newest Articles.

View all
  • 04 Mar 16

    Top 5 Recent Cyber-attacks/hacks and How They Could Relate to your Business.

    Read Article logo
  • 13 Mar 16

    Data leaks, how can they affect Sales and Business Integrity?

    Read Article logo
  • 20 Apr 16

    Common Cyber Security Threats Faced by Businesses and The Impacts

    Read Article logo
  • 11 May 16

    Regular Vulnerability Scans Assessments: Keeping You Safe

    Read Article logo

Get a Quote

Click below and we’ll send you a quote within 48 hours.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote within 48 hours.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you within one business day.

Buy Cyber Essentials

price-popup-pattern