Millions of Android users at risk from adware, secretly lurking inside Google Play apps

Every time you unlock your Android smartphone, are you greeted with messages like this?

Android ad messages

****** !!! URGENT !!! ******

Your phone may be slow!

Click OK and follow the instructions to fix your Internet !

Closely followed by strong pressure to download an app onto your Android device, such as this one:

Software Update Notification

Your Google Nexus 5 Launcher is obsolete!
If you do not upgrade to the latest version, your system will slow down and can crash from time to time!

Tap the button and install ZERO Launcher Updater. Size: 1MB (only 3-4 seconds to download)

UPDATE NOW

If so, chances are that you have fallen foul of a spate of apps that have managed to make their way into the official Google Play store, despite secretly harbouring a malicious advertising SDK within their code.

The threat was brought to light by Andrei Mankevich, an independent game developer from Belarus, who alerted Avast's research team about the issue in a post on the security company's forum.

As a blog post by Avast researcher Filip Chytry explains, affected Android apps include the Durak card game that has been installed on between 5 and 10 million Android devices.

Durak

But you won't notice the in-your-face advertising when you first install Durak. Instead, the adware module embedded in the app's code waits a week or more before activating - making it harder for the user to know which app might be responsible for the irritating messages that they are now seeing.

Furthermore, the advertising messages may go further than suggesting that your Android device is performing slowly - and may actually display warnings that the security of your device, including personal photos and passwords, are at threat:

Scary security threat warning

Security of your HTC EVO3D X515m may be threatened!

Your personal photos and passwords on your HTC EVO3D X515m could be at risk!

To improve the security of your device and protect against possible threats and viruses, we recommend you to update your device with a new application - 360 Mobile Security!

That's at the very least an irritating message to see every time you unlock your Android phone, but imagine if you were not security-savvy and believed the warning to be credible. It is, it has to be said, a convincing piece of social engineering that could easily trick many users into following the instructions and downloading more apps onto the phone... and potentially introducing new threats.

What is perhaps most worrying is that the advertising SDK being used in these apps aren't limited to just displaying irritating messages promoting other apps. According to Mankevich, they also contain code to make changes to a device's browser home page, create new shortcuts on the users' desktop and make alterations to system settings.

Such techniques are typical for Android malware, which often monetises itself by driving traffic to alternative search engines or tricking users into visiting sites that they would not normally consider.

Of course, even if the adverts themselves are unwanted and a nuisance, the apps promoted by them may be legitimate - take, for instance, the following example, which promotes the alternative mobile browser Opera Mini.

Ad for Opera Mini

Chances are that the scammers behind the advertising campaign are not directing users to a genuine app like Opera Mini because of any harm it could cause, but because they are earning affiliate cash somewhere along the route.

The good news is that Google appears now to have removed the offending apps from the Google Play store.

But it's anyone's guess how many other apps might be lurking in Google's official Android app store that have similarly unpleasant surprises waiting inside them...

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , ,

5 Responses

  1. Coyote

    February 3, 2015 at 11:28 pm #

    "But it’s anyone’s guess how many other apps might be lurking in Google’s official Android app store that have similarly unpleasant surprises waiting inside them…"

    And then there's the fake AVs… and indeed I can see how those messages could trick some people. Some are more convincing than others but the sad and perhaps most ironic thing is: software doesn't tell you when it itself is outdated (as above) and it especially doesn't tell you that your battery will lose life (and other similar things). Even when it does notify you that a component has risks (e.g. Firefox with plugins) they aren't necessarily in plain sight. True, software can notify you that it is outdated in the lines with it having the ability to update itself (and otherwise checks for updates as part of the software itself) or an update manager telling you (which is also understandable), that is quite different from the above. Similar rules apply to other things but there are always signs that something isn't right (but not necessarily visible to everyone if they even know to look for them). The end result, and the problem itself can be summarised as: awareness is important but there simply isn't enough (and I don't think there ever will be… which is yet another reason the way you describe things to those not in the know, is such a good thing).

    • Sebastian “Angelo” Cork in reply to Coyote.

      February 4, 2015 at 3:30 pm #

      Coyote, you expressed what I couldn't have in a much better way. Mobile security awareness is so critically involved with everything we do nowadays. I wish there would be a global campaign started specifically for that purpose. The Super Bowl would have made a great event for funding an ad campaign to promote mobile security awareness. Perhaps anti-malware companies could turn more of their attention toward that cause, as they have a good reach. It should be each individual's responsibility to learn to secure themselves and their information, but sadly, many people leave it up to the bigger companies (Google, Apple, Microsoft, etc.) to not allow these apps enter the marketplaces in the first place.

      • Coyote in reply to Sebastian “Angelo” Cork.

        February 6, 2015 at 10:36 pm #

        Thanks Sebastian. I appreciate the comment. Yes indeed: awareness is key yet most don't realise they're locked out and need a key in the first place. Definitely leaving it to others is a problem too: it is (your) responsibility to get yourself to the doctor if you have a deep wound needing medical help (or in this case more likely emergency) notwithstanding legal incompetence/etc. (but then your care taker should be there to help). So too should this be the way with people's phones, computers, whatever else. But it won't change; indeed, many do NOT take care of their own health, take it for granted, etc. (the two are correlated) Interesting idea though – having IT companies doing something like that. I get the feeling (but I wouldn't know) that such events would have too much competition and (they) would be outbid in an attempt to get time on the air. In any case, lack of awareness is a problem but what to do? Some simply don't want to know and others don't even think X is possible until it is proved very possible and directly causing them problems.

  2. David L

    February 4, 2015 at 7:46 pm #

    Hi all,

    The last update to the "Sprintzone" app included adware without giving any notice about it,or how to opt out. It was delayed activation too. When I turned my phone on the nexxt morning,I was getting airpush notices that redirected to playstore. When I did the touch and hold on the notice,it said the app was "fun & games" So I checked recent apps,and sure enough,there it was. But when I searched for it in settings,app manager,it was nowhere to be found. So I figured after awhile,that it had to be Sprintzone update causing it, when I opened Sprintzone ,then settings,I was shocked at all the defaults checked off,including the app within an app. So I UNCHECKED all the boxes,then uninstalled all updates,and erased data,force stopped. But of course it comes back after reboot. So I have a task manager kill it on a regular,daily basis. Thatts the only way to keep bloatware dead!

    Now,Clean Master app is a very shady advertiser using scareware lite ads. They have been all over the place telling people " your phone has a virus?" Or you have battery issues,clean now and other such sayings in banner ads. They were even pulled from playstore for a bit last year for something related to their aggressive,slightly dishonest, advertising. They are owned by Kingsoft,who pushes all kinds of other apps like DU battery saver,and various games. And of course they are a Chinese company. Just one of many who have been called out for deviousness.

  3. Pratik

    March 8, 2015 at 7:53 am #

    Thanks for highlighting the exact same issue I am facing. Read a lot about it now, but didn't find any solution. I have reset my phone, troubled my ISP but no use.

    Any solutions please?

Leave a Reply