According to a new report, 85 popular Google Play Store apps with over 8 million total downloads were found to be forcing full-screen ads when installed on your smartphone.
Security research firm Trend Micro (via Ars Technica) found adware in a series of apps that posed as productivity, photography, and gaming apps on the Play Store. Once they were installed, the offending apps would then force fullscreen, unskippable ads on phones every five minutes.
Trend Micro also found that the malicious developers had the ability to increase or decrease the frequency of these intrusive ads remotely. The adware is called AndroidOS_Hidead.HRXH and within 30 minutes of being installed hides the app icon and creates a shortcut on your phone’s home screen.
By hiding in plain sight, the ad-serving apps were much harder to uninstall without heading directly into your device settings section or the Play Store. As you may know, since Android Oreo, you need to confirm before an app can create a shortcut or widget on your home screen. Even if you didn’t agree to this pop-up, the offending apps would still remain hidden from view.
Every time the user unlocks the device, the adware will perform several checks before it executes its routines. It first compares the current time (the device’s system time) with the timestamp stored as installTime; it then compares the current network time (queried via a RESTful API) with the timestamp stored as networkInstallTime.
With these, the adware-embedded app can determine if it has been installed on the device long enough, with the default delay time configured to 30 minutes. To a certain extent, using network time can evade time-based detection techniques or triggers employed by traditional sandboxes, as the app’s time settings can be configured by simply using networkInstallTime.
If the app has determined that it has been installed for more than 30 minutes, the app will then hide its icon and create a shortcut on the device’s home screen. This routine doesn’t make an apparent difference for the user, unless the device is enabled with a feature that would first notify the user that a shortcut will be created.
These apps record two timestamps: the current device time, and the install time. It then compares these with the time via network and that would be used to work out how long it has been installed before hiding itself and creating a shortcut on the home screen.
If you’re wondering if you have installed one of the offending apps, the list includes Super Selfie Camera, Cos Camera, Pop Camera, and One Stroke Line Puzzle. All of those apps managed to amass over 1 million downloads and account for around half of the total number of downloads recorded by the adware. Several other apps including Background Eraser, Meet Camera, Pixel Blur, and Hi Music Play amassed 500,000 downloads each.
This news comes just as we’re seeing Google increase Play Store approval time, hopefully, to help reduce these kinds of malicious apps. Trends Micro reported the entire list of apps directly to Google, who has subsequently pulled them from the Play Store. You can see the full list here.
More on the Google Play Store:
- [Update: Again] Google begins rolling out Material Theme Play Store
- Google now lets developers tag apps to help Play Store discovery
- Google Play Pass spotted in testing, provides ‘access to hundreds of premium apps’