#bitdefender has found 10 #google play apps that have been packed full of aggressive adware to either subscribe users to premium-rated numbers using scareware messages or install additional apps that pack in even more ads.
The apps (including the “What is my ip?” #app still available on Google Play) were designed to use a different name when installed to give users a hard time identifying and uninstalling them.
Once installed, they create a desktop shortcut named “System Manager.” If someone figures out that one of these apps is responsible for all the browser redirects and scareware messages, he’ll have a hard time finding and uninstalling the app in the Application Manager menu as it hides under the vague new name and not, for instance, “What is my ip?” Less tech-savvy users will be thrown off the scent and the app will remain installed and running indefinitely.
Probably one reason the apps circumvented Google’s vetting is because the #url used to redirect users doesn’t actually disseminate malicious .apk files. Its purpose is to redirect browsers – Android’s native browser, Chrome, Firefox, Facebook or even TinyBrowser – to a specially created URL that tosses users around from one ad-displaying website to another.
For each browser search, clicked URL, or Facebook-opened link, users are redirected to a webpage (http://www.mobilsitelerim.com/anasayfa) that displays a variety of geolocation-specific ads intended to either scare viewers into subscribing to premium-rated numbers – for an alleged security subscription – or trick them into installing more #adware disguised as system or performance updates.
These ill-intended apps only require two permissions – Network Communication and System Tools – but can still cause massive headaches and potentially trick users into downloading device-clogging apps and adware.
Although they’re not malicious per se, by broadcasting sensitive #user information to third parties, they resemble aggressive adware found on desktop PCs. The resulting barrage of pop-ups, redirects and ads irks users and seriously damages both the user experience and the performance of Android devices.
Aggressive adware has advanced at a dangerous clip in the past couple of years, moving from in-app advertisements and adware SDKs, to browser redirects and covertly running apps at start-up under seemingly legitimate names.
At the time of writing, some of the apps are still available on Google Play. We detect them as Android.Trojan.HiddenApp.E. We strongly encourage everyone to install a security solution that can detect malware and aggressive adware and keep them off of your Android device.
Samples md5:
f2d57300d5f991dbc965ac092d5f4301 – com.alm.alm
c1d7afa5c4eb0b8e3c0292eadf98771e – com.tr.dum.dum
16967bea7d3dcb08c12220925ef6f030 – com.est.hk
cb9d3ff0eea162dd602eefe7b08ded49 – com.est.esteban
dbc99ba3241f943cc9e58870f0e40b34 – com.brer.brer
51bc232de9af3f34a58d824da86a70bc – com.tr.ipp
996c4a1525729466d87edf85cbbdf5de – com.who.myip.detect
6f37bd3c286440e37103ee8b67aca7d6 – com.tf.fed
47b863625a8022399247fc92c4d5d178 – com.esc.escd
e1ccb51569635415e66af16cbdd94ddc – com.esc.escde
This article is based on the technical information provided courtesy of Bitdefender Researcher Alin Barbatei.
Leave a reply
