Bitdefender found 35 malicious apps in the Google Play Store that distributed unwanted ads, with a total of over 2,000,000 downloads.
The researchers say all the apps followed the classic tactic of luring users in by pretending to perform some specialized function and then changing their name and icon after installation, making them harder to find and remove. As a rule, the malware changes the icon to a gear and renames itself Settings (“Settings”), but sometimes it looks like Motorola, Oppo and Samsung system applications.
After infiltrating the victim’s device, applications start showing intrusive ads, abusing the WebView, and thereby generating ad revenue for their operators. Also, since these apps use their own ad loading framework, it is likely that additional malicious payloads could be delivered to the compromised device.
The detected malware uses several methods of disguise, including trying to receive updates as late as possible in order to more reliably disguise itself on the device. In addition, if the victim does find suspicious Settings and opens them, a malicious application with a size of 0 is launched to hide from human eyes. The malware then opens the actual settings menu to make the user think they are running a real app.
Analysts also note that the malware uses complex obfuscation and encryption to make reverse engineering difficult and hide the main payload in two encrypted DEX files.
The list of the most popular malicious applications (over 100,000 downloads) can be seen below. At the same time, it must be said that most of them have already been removed from the official Google store, but are still available in third-party app stores, including APKSOS, APKAIO, APKCombo, APKPure and APKsfull.