By: Jessie Huang (Mobile Threats Analyst)
As mobile ad spending increases year by year — the projected mobile ad spend for U.S. advertisers in 2019 is estimated to exceed US$16 billion — cybercriminals will continue to try to illicitly profit via adware that have increasingly insidious tricks. As proof to this point, we recently observed an active adware campaign (detected by Trend Micro as AndroidOS_HiddenAd.HRXAA and AndroidOS_HiddenAd.GCLA) concealed in 182 free-to-download game and camera apps, majority of which were found on the Google Play Store and collectively had millions of downloads. The adware behind the campaign is capable of hiding the malicious app’s icon, showing full-screen ads that can’t be immediately closed or exited, and evading sandbox detection.
We discovered this adware campaign disguised as game and camera apps in mid-June 2019. Based on the apps’ behaviors, we generated heuristic patterns that we used to analyze other samples that we have detected. After analysis of the apps’ package names, labels, publishing times, offline times, code structures, and code styles and features, we deduced that the adware campaign has been active since 2018 and that the apps are from the same adware campaign despite their having been submitted by different developers.
Of the 182 adware-loaded apps, 111 were found on the Google Play Store. The rest of the malicious apps were found on third-party stores that host generic apps, including 9Apps and PP Assistant. Upon analysis, we saw that 43 of the 111 apps hosted on Google Play were unique or had distinct features while the rest were iterations or duplicate apps.
In the course of our analysis, we observed that all of the malicious apps involved in this adware campaign had already been removed from the Google Play platform except for eight apps. As of publishing, these have also been removed. Before takedown, the apps had a total download of 9,349,000.
Figure 1. The last eight fake game and camera apps to have been removed from the Google Play Store. All 111 malicious apps in this adware campaign have already been removed from the Google Play platform.
Because the malicious apps share code structures, they typically exhibited the same behavior. Upon download, a malicious app associated with this adware campaign will run as intended for a specific time, after which, the icon will be hidden from the user, making it difficult to locate and uninstall the app.
Figure 2. Screen capture of Google Play reviews describing the behavior of the adware-loaded apps
Figure 3. Different apps’ packages that show similar code structure and style
Figure 4. Screen capture of the code showing the delay time set for the malicious code to be executed on the device
Figures 5-6. Screen captures of codes showing how the malicious app’s icon is hidden or removed after 30 minutes
The adware will display full-screen ads whenever a user unlocks an infected phone’s screen with the filter “android.intent.action.USER_PRESENT,” which is configured in the adware variant’s code. The adware’s code also provides a max show count and the interval time in which ads appear on a user’s phone. Out of all the ad display intervals we saw in this campaign, the highest frequency was an ad pop-up every 5 minutes.
Figure 7. Screen capture of code showing the filter “android.intent.action.USER_PRESENT” and the ad time and count limits
Even when the app is not running, full-screen ads that cannot be immediately closed or exited pop-up on a user’s screen. When a user attempts to promptly close an ad that has popped up by clicking the Back button, it will only show an “open with” call-to-action message instead of exiting out of the ad. This adds to the cybercriminal’s mobile ad revenue and to the user’s annoyance. The button to close the ad will appear only after a set number of seconds has elapsed.
The infected device’s battery and memory will also be consumed as ads continue to pop-up from the background.
Figure 8. Examples of full-screen ads from the adware campaign
We’ve seen that cybercriminals have upped the ante and have started to use advanced techniques to hide the malicious apps in newer versions of the adware campaign.
Figure 9. Techniques utilized by the earlier versions of the adware campaign
Figure 10. Techniques utilized by the newer versions of the adware campaign
We have observed that the cybercriminals behind this adware campaign are actively evolving and strengthening it. In more recent versions, it takes 24 hours before a scheduled task is executed on the infected device. This lengthy delay time allows the adware to evade regular sandbox detection techniques, which monitor endpoints over a defined timeframe.
Figure 11. Screen capture of code showing the 24-hour delay time set before a scheduled malicious task is created
The malicious code also features conditions or parameters such as “IsOrganic” and “CountryIsAllow” that determine whether the app will hide itself from the user’s screen or otherwise.
Figure 12. Screen capture of code that details conditions that would determine whether the app will hide itself from the user’s screen or otherwise
Figure 13. Screen capture of code that features a filter with a predefined referrer source
Figure 14. Screen capture of code that controls the app’s behavior in connecting to the adware variant’s C&C server
Because of the lengthy delay time before any malicious activity is deployed in the app, connecting to the C&C server is also postponed, allowing the adware to run without being flagged by a device’s AV solutions and analysis tools. The adware variant also evades the static analysis of AV solutions via the encoded hide method setComponentEnabledSetting.
Figure 15. Screen capture of code that shows the hide icon method used by cybercriminals to evade the static analysis of AV solutions
What users and machine learning-powered security solutions can do
Users can manually remove the adware-hosted fake apps using the steps shown below. But it can prove to be an annoying task when the full-screen ads show every after five minutes, as seen in some of the malicious apps.
Cybercriminals are finding new ways to make mobile threats more surreptitious and evasive to profit from users, not just by deploying adware but even by stealing sensitive information. This is why mobile devices should have comprehensive security and software program against mobile malware.
The Trend Micro™ Mobile Security for Android™ (also available on Google Play) solution blocks malicious apps, and end users can also benefit from its multilayered security capabilities that secure the device owner’s data and privacy and that safeguard them from ransomware, fraudulent websites, and identity theft.
For organizations, the Trend Micro™ Mobile Security for Enterprise suite provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps and detecting and blocking malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
The IoCs of this adware campaign can be seen here.