Researchers at McAfee’s Mobile Research Team found a new malware on the Google Play Store, called ‘HiddenAds’, which disguises itself as cleaner apps that delete junk files on devices or one that can help optimize battery life for device management.
This new malware hides and displays advertisements constantly to the users. Experts say they run malicious services automatically upon installation without executing the app.
Malware on Google Play
Although they have malicious activities, they exist on Google Play, so the victim can search for the following apps to optimize their device.
When this malware is installed on the victim’s device, they run malicious services automatically upon installation even without needing any user interaction to open the apps.
“They try to hide themselves to prevent users from noticing and deleting apps. Change their icon to a Google Play icon that users are familiar with and change its name to ‘Google Play or ‘Setting’”, explains McAfee’s Mobile Research Team.
Display Advertisements to Victims
These services suggest users run an app when they install, uninstall, or update apps on their devices.
Promoting Apps to New Users
The malware authors created advertising pages on Facebook, as it is the link to Google Play distributed through legitimate social media, leaving little margin for doubt for the users.
The Working of the Malware
The adware apps abuse the Contact Provider Android component, which allows the transfer of data between the device and online services. For this, Google provides ContactsContract class, which is the contract between the Contacts Provider and applications.
Experts say, there is a class called Directory. A Directory represents a contacts corpus and is implemented as a Content Provider with its unique authority. Therefore, the developers can use it if they want to implement a custom directory. The Contact Provider can recognize that the app is using a custom directory by checking special metadata in the manifest file.
“The important thing is the Contact Provider automatically interrogates newly installed or replaced packages. Thus, installing a package containing special metadata will always call the Contact Provider automatically”, according to the recent blog post from McAfee.
Also, they change their icons and names using the <activity-alias> tag to hide.
According to McAfee telemetry data, this malware and its variants affect a wide range of countries, including South Korea, Japan, and Brazil. Particularly, it is not easy for users to notice this type of malware.
For users who have installed the above-mentioned apps on their Android smartphone, it is advisable to uninstall them manually from the device.