Android YouTube download apps flood devices with ads to secure high ratings for droppers

More unpleasant surprises spread via the official Google Play store.

Rate app

An Android trojan floods infected devices with advertisements to provoke users into doling out high ratings for its dropper apps.

The adware, detected as Android/Hiddad.BZ, hid itself inside seven applications available for download on Google Play. One app bore the name "Tube.mate." Another identified itself as "SnapTube".

Apps on Play store

All these apps, which Google has since pulled from its official Play Store, had a few things in common. First, the apps had a large number of high ratings from users. Second, they all promised they could download content from YouTube. Third, each of them resolved to "Music Mania" upon successful installation.

The icon for "Music Mania" conceals a secret: it's a dropper that loads an ad-displaying component. The element masquerades as a system plugin that requires administrator rights. Installing the fake plugin installs the adware payload, which demands its own superuser privileges from the user while posing as yet another fake plugin.

5 576x1024

ESET malware analyst Lukas Stefanko explains what happens next:

"After granting the rights, the user is immediately shown a screen full of ads and consequently asked to rate the app with five stars “to remove all ads”. Cancelling the message will result in an even greater flood of ads shown on the user’s device, aiming to provoke the user into rating the app next time the prompt is displayed."

You can view a video of Hiddad.BZ in action below.

Have you been affected by this adware?

If so, there's not much to fear. First, uninstall Music Mania using your Application Manager. You then need to go to your device's security settings and disable administrator rights for "plugin android." Only then can you uninstall the payload.

If you haven't met Hiddad.BZ, which is not the first adware to affect apps on Google Play, endeavor not to by making sure to read the reviews of each app you're considering installing.

Ordinary users might not always make the best security decisions. But they're usually more than willing to write a scathing review if, for instance, an app doesn't work and demands that they rate it five stars.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

No comments yet.

Leave a Reply