Beware Of New Malware on The Google Play Store Disguising Themselves as Cleaner Apps

Researchers at McAfee’s Mobile Research Team found a new malware on the Google Play Store, called ‘HiddenAds’, which disguises itself as cleaner apps that delete junk files on devices or one that can help optimize battery life for device management.

This new malware hides and displays advertisements constantly to the users. Experts say they run malicious services automatically upon installation without executing the app.

Malware on Google Play

Although they have malicious activities, they exist on Google Play, so the victim can search for the following apps to optimize their device.

Figure 1. Malware on Google Play
Malware on Google Play

When this malware is installed on the victim’s device, they run malicious services automatically upon installation even without needing any user interaction to open the apps.

“They try to hide themselves to prevent users from noticing and deleting apps. Change their icon to a Google Play icon that users are familiar with and change its name to ‘Google Play or ‘Setting’”, explains McAfee’s Mobile Research Team.

Figure 2. Hide itself by changing icons and names
Malware hides itself by changing icons and names

Display Advertisements to Victims

Figure 3. A sudden display of advertisements
A sudden display of advertisements

These services suggest users run an app when they install, uninstall, or update apps on their devices.

Figure 4. A button to induce users to run app
A button to suggest user to run an app

Promoting Apps to New Users

The malware authors created advertising pages on Facebook, as it is the link to Google Play distributed through legitimate social media, leaving little margin for doubt for the users.

Figure 5. Advertising pages on Facebook
Advertisement Pages on Facebook

The Working of the Malware

The adware apps abuse the Contact Provider Android component, which allows the transfer of data between the device and online services. For this, Google provides ContactsContract class, which is the contract between the Contacts Provider and applications.

Experts say, there is a class called Directory. A Directory represents a contacts corpus and is implemented as a Content Provider with its unique authority. Therefore, the developers can use it if they want to implement a custom directory. The Contact Provider can recognize that the app is using a custom directory by checking special metadata in the manifest file.

“The important thing is the Contact Provider automatically interrogates newly installed or replaced packages. Thus, installing a package containing special metadata will always call the Contact Provider automatically”, according to the recent blog post from McAfee.

Also, they change their icons and names using the <activity-alias> tag to hide.

Final Word

According to McAfee telemetry data, this malware and its variants affect a wide range of countries, including South Korea, Japan, and Brazil. Particularly, it is not easy for users to notice this type of malware.

For users who have installed the above-mentioned apps on their Android smartphone, it is advisable to uninstall them manually from the device.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.