{"id":88125,"date":"2019-09-24T20:14:54","date_gmt":"2019-09-24T14:44:54","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=88125"},"modified":"2019-09-26T18:28:50","modified_gmt":"2019-09-26T12:58:50","slug":"quick-heal-reports-29-malicious-apps-10-million-downloads-google-play-store","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/quick-heal-reports-29-malicious-apps-10-million-downloads-google-play-store\/","title":{"rendered":"Quick Heal reports 29 malicious apps with 10 million+ downloads on Google Play Store"},"content":{"rendered":"
Quick Heal Security Labs reported\u00a029 malicious apps found on Google Play Store, which have a collective download count of more than 10 Millions. Google was quick enough to remove these malicious apps from Play Store immediately.\u00a0One of the Apps\u00a0from this set, named \u201cMultiapp multiple accounts simultaneously<\/b><\/strong>\u201d has crossed 5 million installs already.<\/div>\n

\"\"\u00a0\u00a0 Fig. 1<\/em>– Malicious HiddAd Apps from Google Play Store<\/em><\/p>\n

From this set of 29 malicious Apps, 24 are from HiddAd\u00a0category. The HiddAd Apps hide their icon after first launch and create shortcut on Home Screen. Clear purpose of this action is that users should not be able to uninstall it by just dragging the icon. When users launch the App through the shortcut, these apps show full screen ads on device screen. Few of these Apps can show adds even when the device is in idle state and the App is not in active use. Most of these Apps are of Photography category and are similar to previous HiddAds found on Google Play Store. Fig. 1 shows screenshots\u00a0of malicious HiddAd Apps from Google Play Store.<\/p>\n

The remaining 5 Apps from above list are of Adware category and would generally get into your Android phones through advertisements. Users\u00a0see many advertisements every-time they visit social media sites like YouTube, Facebook, etc. which promote different mobile applications. Many a times, these promoted mobile applications boast about a lot of unbelievable functionalities like X-Ray scanning. We came across few advertisements of some interesting Android Apps which claim to offer functionality of X-ray scanning. When we explored the App further, we found out that two such apps have crossed 1 million + downloads already.<\/p>\n

Here is a screenshot of such an advertisement we came across on YouTube,\u00a0prompting users to download one of the magnifier application –<\/p>\n

\"\"Fig. 2<\/em> – Advertisement\u00a0screenshot from YouTube<\/em><\/p>\n

In this Advertisement, it claims that it can scan human body like X-ray scanning machine. But obviously, this app doesn\u2019t have any such functionality. We can guess that\u00a0many users are tricked into downloading this App and they end up with annoying advertisements. During our analysis, we found around 5 applications with similar functionalities.\u00a0<\/b><\/strong><\/p>\n

Analysis of HiddAd malware Apps:\u00a0<\/strong><\/p>\n

HiddAd malware App hides its icon after installation and its first launch. It creates shortcut on Home Screen. We analyzed one of these HiddAd malware App in detail. It directly uses setComponentEnabledSetting<\/i><\/em>\u00a0<\/i><\/em>method to hide its own icon, without any obfuscation. This is little different from most of the HiddAd malware which we analyzed earlier and they were using some obfuscation techniques to evade detections.<\/p>\n

\"\"\u00a0Fig. 3<\/em> – Screenshot\u00a0of HiddAd activity<\/em><\/p>\n

This HiddAd App has following code to decide when to show Ads. The function name itself tells its purpose. The following code snippet clearly shows\u00a0that App installation time is saved in one variable and then depending on that value, it decides the exact time to show Ads.<\/p>\n

\"\"<\/p>\n

Fig. 4<\/em> – code to decide Ad display time<\/em><\/p>\n

In one of these Apps, named \u201cFirst camera HD\u201d, malware author has used a different technique. In this apk, there is an encrypted file present in its \u201cassets\u201d directory. This file gets decrypted at runtime and it creates odex file (Optimized dex file) in \u201cdata\\data\\com.first.app.camera.spite\\files\\podex\\odexdir\u201d.<\/p>\n

Later it deletes this created odex file runtime. We analyzed this file by fetching it from our emulator and found that it has similar code. Below code snippet shows\u00a0how it decrypts and create odex file \u2013<\/p>\n

\"\"<\/p>\n

Fig. 5<\/em> – odex file creation<\/em><\/p>\n

Quick Heal Total Security for Mobile detects these applications as\u00a0Android.Hiddad.A<\/b><\/strong><\/p>\n

Analysis of Adware Apps:<\/b><\/strong><\/p>\n

These Apps pretend to offer a functionality of magnifying the view, but in reality these Apps just show heavy Advertisement on user\u2019s mobile, eventually draining phone battery and causing heavy data usage and productivity loss.<\/p>\n

Right after the launch, these applications open camera and show various options like flash-light, gallery, etc. But when user chooses an option, these apps start full-screen Ads, with no option to close or skip. Initially there is no way to close these Ads and it takes considerable time to show Close Ad button. These Ads are continuous and annoying. Even if user gets a chance to close one Ad, it will again open another Ad immediately and won\u2019t allow to use the real application functionalities.<\/p>\n

\"\"<\/p>\n

Fig. 6<\/em> – Screenshots of Adware activity<\/em><\/p>\n

From the user reviews, it seems that user is trapped\/lured in installing these Apps.<\/p>\n

\"\"<\/p>\n

Fig. 7<\/em> – User reviews<\/em><\/p>\n

Quick Heal Total Security for Mobile detects these applications under the Adware category as Android.Magnify.A (Adware)<\/b><\/strong><\/p>\n

\"\"<\/p>\n

Fig. 8 – IOCs<\/em><\/p>\n

 <\/p>\n

\n

Threat actors are continuously trying to find new ways to enter into the user\u2019s device and earn money through advertisements. So, user should not fall prey for this and should not install any random mobile application coming from social platforms blindly. Rather, user should check App Developer\u2019s information\u00a0and\u00a0reviews before downloading any app.<\/i><\/span><\/span><\/span><\/strong><\/p>\n<\/blockquote>\n

Tips to stay safe from Android malware:<\/b><\/strong><\/p>\n