A wolf in sheep’s clothing: malware on the Play Store

Android phone running slow? Think twice before installing a 'cleaner'.
12 December 2022
Getting your Trinity Audio player ready...

Malware Android apps are appearing on the Google Play Store, disguised as apps to ‘clean’ phones by deleting junk files or optimizing battery through device management. Termed HiddenAds malware, once a malicious app is installed, it does not need to be opened before it starts showing popup ads.

Smartphones tend to get slower over time, whether because of apps’ legitimate background activity or by throttled CPU speeds when battery efficiency declines. For the less tech-savvy and those poor souls used to the Windows computers slowing down for…reasons, ‘cleaning’ their Android phone seems like the best choice. These users will likely look to the internet for resources on how to speed their phones back up, where malicious actors are waiting.

The apps are advertised on Facebook pages, which gives an appearance of legitimacy.

By targeting victims who aren’t well-versed in technology, the malware’s authors are reaching a huge number of Android users. Once the app is downloaded, its icon changes to look like the Google Play app and is renamed something important like ‘Settings’ or even ‘Google Play.’ Even if victims realize that an app, somewhere, is creating popups, identifying which one to delete is difficult.

The ‘cleaner’ application doesn’t have to be run for the malware to become active on a device. It also triggers popups when users try to install, update, or uninstall apps on their phones, which prompts victims to open the malware app.

Malware Android apps discovered

McAfee telemetry data found that the HiddenAd software has affected devices worldwide. Top infected countries include South Korea, Japan, and Brazil, with the number of victims over a million at the time of writing.

New variants of the malware Android apps are being developed and published by developer accounts on the Google Play Store, making prevention difficult. The resilience of the malware has been shown by McAfee’s mobile research team, who demonstrated running “sudo kill -9” on the malicious process. That worked, but more instances were immediately generated.

So why are malware Android apps so widespread?

Someone who downloads an app to ‘clean’ their phone is unlikely to have a wealth of technical skills. To somewhat play along with stereotypes, users are finding information on how to fix their phones from Facebook pages, so are arguably naïve at best.

The difficulty victims then have in deleting the HiddenAd application means the attacks can continue. It’s not beyond the realms of imagination that, confronted with popups, a user may download another ‘cleaner’ app – perhaps after a recommendation helpfully supplied by the epitome of integrity in advertising, Facebook.

Also of note is that anybody can publish Android apps without charge after a one-time fee of $25 to create a developer account on the Google Play Store. Despite regulations in place, this malware has proven that checks on the software users are uploading are not impossible to evade.

This isn’t the first time that malware Android apps have been available to download on the Google Play Store. In March 2022, there was a trojan app called ‘QR Code & Barcode – Scanner’, which, once downloaded, encouraged users to download a second app containing the malware.

The scam app, downloaded by over 10,000 users, stole data and passwords from banking apps, online wallets, insurance apps, crypto wallets, and more.

In late 2021, Forbes reported that Google had confirmed millions of users had been affected by dangerous scams directly from the Play Store. As with the HiddenAds malware, it seems that new ones become available to download as fast as trojan apps are reported and deleted.

The ease with which malicious software can be made accessible on what should be a trusted platform demonstrates a larger issue than the inconvenience of popup ads. Users should be able to trust that apps available for download are properly vetted to ensure their legitimacy before being made available on the Google Play Store.