• The attackers are using two adware named AndroidOS_HiddenAd.HRXAA and AndroidOS_HiddenAd.GCLA to conduct the campaign.
  • The campaign has been active since 2018.

Researchers have discovered a new adware campaign that has been active since 2018. The campaign is spread across as many as 182 mobile apps that are available on Google Play and third-party Android stores.

Which adware is involved?

Trend Micro researchers, who detected the campaign in mid-June 2019, have found that the attackers are using two adware named AndroidOS_HiddenAd.HRXAA and AndroidOS_HiddenAd.GCLA. These adware samples are concealed in 182 free-to-download game and camera apps to evade detection.

The adware behind the campaign is capable of hiding the icons of the malicious apps and showing full-screen ads.

About the malicious apps

Trend Micro noted that 111 out of 182 apps were found on the Google Play store and the rest were available on third-party stores like 9Apps and PP Assistant. These 111 apps have more than 9.3 million downloads.

These apps, if downloaded, will run for a specific time, after which the icon will be hidden from the user, making it difficult to locate and uninstall them.

“ The adware will display full-screen ads whenever a user unlocks an infected phone’s screen with the filter “android.intent.action.USER_PRESENT,” which is configured in the adware variant’s code. The adware’s code also provides a max show count and the interval time in which ads appear on a user’s phone” said Trend Micro researchers.

Researchers further explained that users cannot close or exit a pop-up on their screen even when the app is not running. This affects the infected devices’ battery and memory.

What action has been taken?

Upon discovery, Google has successfully removed all the 111 malicious apps from its Play Store. Users are urged to be careful while downloading apps from third-party app stores.

Cyware Publisher