New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Malicious Android Apps With 1M+ Installs Found on Google Play

A set of four malicious applications currently available in Google Play, the official store for the Android system, are directing users to sites that steal sensitive information or generate ‘pay-per-click’ revenue for the operators. Some of these sites offer victims fake security tools or updates to trick users into installing the malicious files manually. The apps are still present on Google Play under a developer account called Mobile apps Group and have a total install count of more than one million. According to a report, the same developer was exposed twice in the past for distributing adware on Google Play, but it was allowed to continue publishing apps after submitting cleaned versions. The four malicious apps uncovered this time are:

  • Bluetooth Auto Connect, with over 1,000,000 installs
  • Bluetooth App Sender, with over 50,000 installs
  • Driver: Bluetooth, Wi-Fi, USB, with over 10,000 installs
  • Mobile transfer: smart switch, with over 1,000 installs

The apps don’t have favorable reviews on Google Play and many users left comments about intrusive ads that open automatically in new browser tabs. Interestingly, the developer responds to some of these comments, offering to help resolve the ad problems. Reporters have contacted ‘Mobile apps Group’ to request a comment about the researchers’ findings but have not heard back yet. By monitoring the activity of the software from Mobile apps Group, researchers found that the apps have a 72-hour delay before showing the first ad or opening a phishing link in the web browser, and then continue to launch more tabs with similar content every two hours. The researchers noted that new browser tabs are opened even when the device is locked, so when users return to their phones, they find multiple phishing and ad sites opened. Analysis of the manifest file revealed that the developer tried to obfuscate logs for the actions performed by using nonsense log descriptors such as “sdfsdf.” While this method works against automated code scanners, it helped the researchers spot the actions easier.

Analyst Notes

To keep adware away from devices, avoid installing apps from unofficial Android stores. Reading user reviews and monitoring battery usage and network data activity also helps determine if the device is running suspicious software. Keeping Google’s Play Protect feature active is also a good way to keep the device safer. Any Android devices that have one of the above apps present should remove that app and run a full system scan using Play Protect or a mobile antivirus suite from a reputable vendor.