The adware inside the apps is directing users to harmful phishing sites and stealing sensitive information or generating ‘pay-per-click’ revenue for malware operators by clicking on advertisements. In addition, some of these sites offer victims to download fake antivirus solutions or updates, infecting devices with malware. This family of four malicious apps is from the developer ‘Mobile apps Group’ and is infected with Android/Trojan.HiddenAds.BTGTHB. These apps have amassed at least a total of one million downloads on the Google Play Store. The developer ‘Mobile apps Group’ is the same developer who in the past was caught twice for building Trojans into their apps and distributing adware on Google Play. Despite this, the developer was allowed to continue publishing apps on the Play Store after uploading a clean version of the apps. Given below are the four infected apps that are still listed on the Google Play Store:
Bluetooth Auto Connect (More than 1,000,000 installs) Bluetooth App Sender (More than 50,000 installs) Driver: Bluetooth, Wi-Fi, USB (More than over 10,000 installs) Mobile transfer: smart switch (More than over 1,000 installs)
The apps don’t have favorable reviews on Google Play. For instance, one of the reviews for Bluetooth Auto Connect states that the app installs popup adware, which automatically opens in new browser tabs. Other users claim that the app executes its tasks despite the adware. Despite being malicious apps, what is interesting is that the developer chose to respond to some of the user comments and offered help to resolve the ad problems.
How Do These Malicious Apps Work?
Malwarebytes researchers tracked app activity from the Mobile apps Group and found these apps wait 72 hours before they start showing ads or open a phishing link in the browser after which they open more tabs with similar malicious content every two hours. The researchers noted that the new browser tabs open even if the device screen is locked. This means users would find multiple phishing and ad sites opened when they returned to their phones after an interval. A study of the Manifest file showed that the developer was hiding these actions in an app log using meaningless descriptors such as “sdfsdf.” While this method works amazingly against automated code scanners, it helped researchers detect malicious activity more easily. Since the discovery is already made public, we hope Google will take immediate action and remove the malicious apps from their Play Store. In case, you have downloaded any one of the above apps on your Android device, we encourage you to have them deleted immediately. Further, in order to protect and keep your Android device safe from malware, it is recommended to avoid downloading apps from third-party marketplaces, read app reviews to see if other users report issues or strange experiences, read app permissions carefully, monitor battery usage and network data activity, and install and update security software.