Symantec specialists found two Android malwares on the Google Play Store with the total number of downloads exceeding 1.5 million. These programs used a new technique to secretly click on advertisements users’ awareness.
According to a Symantec report, the malware was in the official Play Store for almost a year before it was detected. After anti-virus experts reported the malicious behavior of the applications, Google employees removed them from the site.“We recently spotted a new tactic being used by apps on the Google Play Store to stealthily perform ad-clicking on users’ devices. A developer known as Idea Master has published two popular apps on the Play Store in the past year, with a collective download count of approximately 1.5 million”, — report Symantec experts.
One of the dubious applications masked as a variation of a notebook, its name is “Idea Note: OCR Text Scanner, GTD, Color Notes”.
The second used the theme of fitness to mislead users – “Beauty Fitness: daily workout, best HIIT coach”.
Both programs were packaged using legitimate tools commonly applied to protect the intellectual property of Android apps. However, these same packers greatly complicate the task for researchers to study the application in detail.
Notepad and fitness app carefully hidden their unwanted activity.
Read also: Researchers found that 53% of authentication attempts on social networks are fraudulent
Advertisements were placed outside the visible area of the display, which helped to hide them from the users. In a zone invisible to the victim, occurred clicks, the purpose of which was to earn money for fraudsters.
“Unlike hidden views where the view is set to transparent in order to hide content from the user, this threat actor deploys a much more cunning way of running the advertisements while keeping them hidden from the user. This is done by first creating a Canvas outside the device’s viewable display such that, technically, the advertisements are drawn on the device. By using the translate() and dispatchDraw() methods the position of the drawings are beyond the device’s viewable screen area and the user is unable to see the advertisements on their device. Using this tactic allows advertisements, and any other potentially malicious content, to be displayed freely. The app can then initiate an automated ad-clicking process that produces ad revenue”, — Symantec researchers describe how malware works.
The problem for the user was that the smartphone’s battery power was coming to an end very rapidly.
But this is not all the negative consequences: mobile devices significantly lost in productivity, some even ran out of storage, as malicious applications constantly visited advertising sites.
Recently, we reported that in the official Google Play Store, you could find a popular application for creating PDF and optical character recognition – CamScanner. It was downloaded by more than one hundred million users. However, at some point, something went wrong – the program was equipped with a malicious component.
Since the applications are still available on Google Play, we strongly encourage users to manually uninstall them from their devices. Additionally, we advise users to take the following precautions:
- Keep your software up to date.
- Do not download apps from unfamiliar sites.
- Only install apps from trusted sources.
- Pay close attention to the permissions requested by apps.
- Install a suitable mobile security app to protect your device and data.
- Make frequent backups of important data.
