This morning SophosLabs alerted individuals and businesses of a malware family that had infiltrated Google Play by presenting itself as a bunch of handy utilities.
Truly, Google’s app vetting process is far from perfect, but the company does at least carry out some pre-acceptance checks.
By adding an innocent-looking “graphics” subcomponent to a collection of programming routines that you’d expect to find in a regular Android program, the adware engine inside the app is effectively hiding in plain sight.
As mentioned, Google no longer endorses these apps, and if you install free Sophos Mobile Security for Android product, we’ll detect and optionally remove these ad-foisting apps if you already have them on your device.
Many off-market Android app repositories have no checks at all – they’re open to anyone, which can be handy if you’re looking for unusual or highly specialised apps that wouldn’t make it onto Google Play (or trying to publish unconventional content).
But unregulated app repositories are also risky, for all the same reasons.
What’s the malware all about?
Sophos detects this malware as Andr/HiddnAd-AJ, and the name gives you an inkling of what the rogue apps do: blast you with ads, but only after lying low for a while to lull you into a false sense of security.
They reported the offending apps to Google, and they’ve now been pulled from the Play Store, but not before some of them attracted more than 500,000 downloads.
The subterfuge used by the developers to keep Google’s “Play Protect” app-vetting process sweet seems surprisingly simple.
How the crooks operate
First, the apps were, at least on the surface, what they claimed: six were QR code reading apps; one was a so-called “smart compass”.
In other words, if you were just trying out apps for fun, or for a one-off purpose, you’d be inclined to judge them by their own descriptions.
Second, the crooks didn’t fire up the adware part of their apps right away, lurking innocently for a few hours before unleashing a barrage of ads.
Third, the adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app.
To get more details about this report, click here.