Every time you unlock your Android smartphone, are you greeted with messages like this?
****** !!! URGENT !!! ******
Your phone may be slow!
Click OK and follow the instructions to fix your Internet !
Closely followed by strong pressure to download an app onto your Android device, such as this one:
Software Update Notification
Your Google Nexus 5 Launcher is obsolete!
If you do not upgrade to the latest version, your system will slow down and can crash from time to time!
Tap the button and install ZERO Launcher Updater. Size: 1MB (only 3-4 seconds to download)
If so, chances are that you have fallen foul of a spate of apps that have managed to make their way into the official Google Play store, despite secretly harbouring a malicious advertising SDK within their code.
The threat was brought to light by Andrei Mankevich, an independent game developer from Belarus, who alerted Avast’s research team about the issue in a post on the security company’s forum.
As a blog post by Avast researcher Filip Chytry explains, affected Android apps include the Durak card game that has been installed on between 5 and 10 million Android devices.
But you won’t notice the in-your-face advertising when you first install Durak. Instead, the adware module embedded in the app’s code waits a week or more before activating - making it harder for the user to know which app might be responsible for the irritating messages that they are now seeing.
Furthermore, the advertising messages may go further than suggesting that your Android device is performing slowly - and may actually display warnings that the security of your device, including personal photos and passwords, are at threat:
Security of your HTC EVO3D X515m may be threatened!
Your personal photos and passwords on your HTC EVO3D X515m could be at risk!
To improve the security of your device and protect against possible threats and viruses, we recommend you to update your device with a new application - 360 Mobile Security!
That’s at the very least an irritating message to see every time you unlock your Android phone, but imagine if you were not security-savvy and believed the warning to be credible. It is, it has to be said, a convincing piece of social engineering that could easily trick many users into following the instructions and downloading more apps onto the phone… and potentially introducing new threats.
What is perhaps most worrying is that the advertising SDK being used in these apps aren’t limited to just displaying irritating messages promoting other apps. According to Mankevich, they also contain code to make changes to a device’s browser home page, create new shortcuts on the users’ desktop and make alterations to system settings.
Such techniques are typical for Android malware, which often monetises itself by driving traffic to alternative search engines or tricking users into visiting sites that they would not normally consider.
Of course, even if the adverts themselves are unwanted and a nuisance, the apps promoted by them may be legitimate - take, for instance, the following example, which promotes the alternative mobile browser Opera Mini.
Chances are that the scammers behind the advertising campaign are not directing users to a genuine app like Opera Mini because of any harm it could cause, but because they are earning affiliate cash somewhere along the route.
The good news is that Google appears now to have removed the offending apps from the Google Play store.
But it’s anyone’s guess how many other apps might be lurking in Google’s official Android app store that have similarly unpleasant surprises waiting inside them…