Over 60,000 Android apps secretly embedded with adware that can be exploited by hackers

A report released by leading security vendor Bitdefender says they have found 60,000 different types of Android apps secretly embedded with adware security programs in the past six months.

The report states that upon analysis, the campaign was designed to spread adware to users' Android-based devices as a way to increase revenue. However, cyber attackers can easily change tactics and redirect users to other types of malware, such as theft programs that target bank accounts.

Statistically, the adware primarily targeted users in the United States (55.27%), followed by South Korea (9.8%), Brazil (5.96%), and Germany (2.93%). The large number of unique samples suggests that an automated process was devised to create applications with malware that was distributed through counterfeit game crackers, free VPNs, fake Netflix tutorials, ad-free versions of YouTube/TikTok, and fake security programs.

Surreptitious installation to evade detection

These apps are hosted on third-party websites, and researchers did not find the same adware in Google Play's apps. When visiting these sites, users are redirected to the download sites for these apps, and when they install them, they do not configure themselves to run automatically, as this requires additional permissions. Instead, it relies on the normal Android app installation process, which prompts the user to "open" the app after installation.

In addition, these apps do not display icons and use UTF-8 characters in the app tab, making them more difficult to detect. This is a double-edged sword, because it also means that if the user does not launch the application after installation, it will likely not be launched after installation.

If it does, the application will display an error message stating "Application is unavailable in your region. Tap OK to uninstall鈥? In reality, however, the application is not uninstalled, but simply hibernated before registering two intents that allow the application to start when the device starts or when the device is unlocked. Bitdefender indicates that the latter intent was disabled two days ago, possibly to avoid detection by the user.

Upon launch, the application will connect to the operator's servers and retrieve links to ads to be displayed in mobile browsers or as full-screen WebView ads.

Android devices are a high target for malware developers because users are able to install apps in places other than the Google Play store protection. But for now, even in Google Play it may not be safe. Recently, researchers from Dr. Web and CloudSEK found that malicious spyware SDKs have been installed on Android devices more than 400 million times via apps on Google Play.

While Google Play still has malicious apps, installing Android apps from the official store is generally much safer, and users are strongly advised not to install any Android apps from third-party sites, as they are a common vector for malware.