Google Removed 164 Apps

Google has recently removed 164 Apps from Google Play since they were showing disruptive ads, which is considered as malicious. These apps have downloaded a total of 10 million times.

The Satori Research Team found a large number of apps on the Google Play Store that were mimicking notable apps to garner downloads, only to then trick the user into seeing a whole bunch of unexpected ads. As the bulk of those identified apps attempted to mimic the functions of other popular apps, they named them CopyCatz.

Detection

The research team discovered that these apps contain code capable of displaying out-of-context ads under the com.tdc.adservice package. The apps’ behaviour is controlled by a command-and-control JSON hosted on Dropbox. Researchers added that Dropbox is also another victim in the CopyCatz operation.

The URL of the JSON differs from app to app, but the structure is very similar, indicating the frequency of the ads and the Publisher ID to be used.

Researchers detail the first app they observed triggering out-of-context ads in the recent campaign, which is called Assistive Touch 2020 app. It is a copy of a legitimate app, Assistive Touch. The app’s package name is a misspelt version of the official one, which is common to the apps in this operation.

How does it work?

Once the app is installed, it reaches out to com.tdc.adservice package, which is its command-and-control server, that delivers parameters of how often the ads are displayed, what type they are, whether in-house ads or out-of-context ads and from which platform they should be retrieved.

The app next provides the unsuspecting user “a grace period of a couple of hours” depending on the command-and-control server’s configuration before out-of-context interstitials started appearing on the device. It then excludes itself from the list of recent apps and as soon as the user navigates away from it, it disappears.

Experts mention that the apps didn’t try to cover their tracks. All of them have the open-source Evernote job scheduler embedded inside used as a persistence mechanism. They said that Evernote is also a victim of this operation.

How to prevent?

The Research team have included a full list of apps in an index to the report and recommend Android users to remove if they have those apps installed.

It is suggested to block any apps that call ads from activities inside the package com.tdc.adservice.

Even though platforms could choose to allow legitimate traffic from these apps by blocking only the out-of-context ads, the research team recommends using the heavier-handed approach of blocking all the apps, since they were likely created very specifically to take advantage of the digital ecosystem.

While downloading a new app, ensure that you’re getting the real, official version of what you’re trying to get.

Look at the reviews, not just the glowing five-star reviews, but also the one- and two-star reviews. Those are the ones that will call out ads that don’t belong and will alert you if something is wrong.

Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.