Tens of thousands of compromised android apps found
Bitdefender researchers have recently leveraged their industry-first anomaly detection technology, integrated into Bitdefender Mobile Security, to reveal a concealed malware campaign that had gone undetected on mobile devices globally for over half a year.
According to the researchers, this mobile malware has flourished unnoticed due to the absence of behaviour-based detection capabilities on Android platforms. The campaign primarily aims to aggressively distribute adware to Android devices, generating revenue for threat actors involved. However, these actors have the ability to switch tactics effortlessly, redirecting users to other types of malwares such as banking Trojans, ransomware, and credential-stealing threats. Bitdefender has already identified 60,000 distinct samples (unique apps) carrying the adware and suspects that there may be even more lurking in the wild.
The malware campaign, which has been active since at least October 2022, stands out due to the effectiveness of the new behaviour anomaly technology. Without this advanced detection capability, the malware would have likely remained undetected. The researchers believe that the operation is largely automated, considering the sheer number of unique samples discovered.
Notably, the distribution of the malware spans globally, despite its absence from official app stores. To entice users to download and install third-party apps, the threat actors have disguised their malicious software as highly sought-after items that are not available in official stores, or they have mimicked legitimate applications published in the Play Store.
Among the types of apps imitated by the malware are game cracks, games with unlocked features, free VPN services, fake videos, popular streaming platforms like Netflix, fake tutorials, ad-free versions of YouTube and TikTok, cracked utility programs (e.g., weather apps, PDF viewers), and fake security programs.
The malware campaign’s organic distribution occurs when users search for these types of apps, mods, or cracks. Modded apps are in high demand, with dedicated websites offering these modified versions of popular applications. Modded apps typically unlock full functionality or introduce programming changes to the original applications.
For instance, when a user visits a website from a Google search for a “modded” app, they may be redirected to a random ad page. Sometimes, this page serves as a download page for malware disguised as a legitimate download for the mod they were seeking.
The malware utilizes a novel approach to remain hidden on Android devices. Since the release of API 30, Google removed the ability to hide the app icon on Android once a launcher is registered. However, the malware evades this limitation by not registering any launchers and relying on the default Android install behaviour. During the installation process, the last screen displayed is an “Open” app prompt, which the malware utilizes to deceive the user into believing that the application was never installed. By not having an icon in the launcher and using a UTF-8 character in the label, the malware becomes more challenging to detect and uninstall, always appearing at the end of the app list, where it is less likely to be noticed.
The malware operates by triggering actions upon boot or when the user interacts with the device, such as unlocking the phone. After a two-hour sleep period, the application establishes contact with the server and registers an alarm that is subsequently triggered every two hours, allowing the server to activate the adware phase at an unpredictable interval.
To protect its malicious content, the malware employs a robust packer that employs the SQLCipher package to encrypt its stored data. By encrypting its dex files as entries in a database, the malware can retrieve them through si
mple queries when necessary. The database’s access key appears to be the certificate’s hashcode.
The malware also exhibits adware behaviour, where it loads adware URLs from the server using the mobile browser when the user unlocks their phone. Bitdefender Mobile Security’s Web Security feature may intercept these links before they are loaded. Additionally, the malware leverages adware libraries to display full-screen ads, a behaviour specifically targeted by Bitdefender’s anomaly detection technology.
To protect your device, it is strongly recommended to use a reputable security solution capable of detecting such threats. Furthermore, downloading apps from third-party app stores and websites is highly discouraged to minimize the risk of malware infections.