Tens of thousands of Android applications were recently discovered pushing adware on the devices for months.
This is according to a new report from cybersecurity researchers Bitdefender. After deploying an anomaly detection feature to its mobile security solution last month, the company found 60,000 unique apps that pretended to be various security, utility, and entertainment apps but were in reality just pushing adware.
The apps were being distributed through third-party websites, propped up solely for the distribution of malicious apps. None of the apps were found on the Play Store, it seems. Bitdefender says that it’s likely that the 60,000 number is not final and that the number of malicious software is probably a lot bigger.
The threat actors would create these websites and then get them as high on Google’s search engine results pages (SERP) as possible, probably also utilizing other distribution channels, such as social media sites, instant communications apps, email, and more.
Once the victim installs the app on their endpoint, it would tell them it is unavailable in their region, and offer a quick way to uninstall it. However, the uninstallation process would never happen, and the apps would simply remain on the device.
The developers also deployed a couple of other obfuscation methods to make sure the adware remains hidden on Android devices for as long as possible.
Firstly, the apps don’t automatically run once downloaded, as that would require additional privileges which would likely raise suspicion among the targets. Instead, they go the route all other apps take and wait for the users to run them.
Secondly, after the “uninstall” process, the apps go to sleep for a few hours, after which they would register two “intents” that make the app launch upon reboot or device unlock. The intents themselves are “asleep” for the first two days.
As usual, the best way to protect against such threats is to make sure to only download software from legitimate sources.