loader gif

22 Android adware apps found masking their host devices as iPhones

3d,access,adware,alert,antivirus,attention,background,bug,caution,computer,concept,crime,cyber,e-mail,exclamation,forbidden,hacker,icon,illustration,infected,internet,isolated,laptop,neon,online,problem,protect,protection,red,safety,security,sign,stop,symbol,technology,trojan,virus,warning,white,word,worm
  • 22 Android adware apps were found masking as an iPhone app to fool ad networks into generating revenue.
  • The malicious apps possessed the ability to restart after three minutes even after a victim shut down the apps’ processes.

The Android ecosystem has witnessed the spread of numerous kinds of malware and other not-so-malicious apps, called potentially unwanted applications (PUAs), ever since its inception. However, the number of threats on the Google Play Store has grown steadily over the last few years, with malware being the dominant threat.

In the most recent batch of adware apps discovered on Google Play, the use of a new tactic was discovered by Sophos Labs researchers. The loading and clicking on ads in the background is a common technique used by adware apps, but the set of 22 apps discovered in this case, went a step further.

Since ad networks value traffic from Apple devices more than Android, the adware masked its host phones while sending requests to ad networks, posing as iPhones instead.

The set of 22 malicious apps, which have now been taken down from Google Play, were first discovered last month by Sophos Labs. The company told ZDNet that the 22 apps have been collectively downloaded over 2 million times from the Play Store. One highly popular app among the 22, was a flashlight app named Sparkle, which alone had over a million downloads.

Surprisingly enough, three of these apps existed in earlier versions, without any kind of malware attached to them. This indicates that the developers of these apps likely felt compelled to go for a malicious route to make money from their apps.

Resilient Adware

Chen Yu, a researcher at Sophos Labs told ZDNet that these apps were more aggressive than previously known Android adware families. These apps had the ability to automatically restart after three minutes, even after a victim closed the apps’ processes. This would lead to high battery usage and a constant profit generation for the adware author.

These apps have been categorized as the Andr/Clickr-ad family of Android malware. Though the apps could have been used to further download and run malicious files, no such functionality was found. Some of the same app developers who made these apps have also built iOS apps, but such adware activity wasn’t found on them.

Its raining malware

A large onslaught of malware apps on Android have been discovered since 2017, with malicious apps ranging from banking bots, ad clickers, to multiple kinds of ransomware.

In this environment of ever-present threats, it is very important for all users to remain aware and take precautionary steps like:

  • Update to the latest available Android version.
  • Avoid downloading apps from third-party app stores.
  • Avoid downloading apps whose developers’ identity is suspicious or is rated low.
  • Prioritize purchasing devices from manufacturers that patch devices regularly to avoid security vulnerabilities.
loader gif