Apps employed a variety of tricks to avoid detection by Google and infected users.
Developers employed a variety of tricks to populate Google Play with more than a dozen apps that bombard users with ads, even when the apps weren’t being used, researchers said on Tuesday.
Among the tactics used to lower the chances of being caught by Google or peeved users: the apps wait 48 hours before hiding their presence on devices, hold off displaying ads for four hours, display the ads at random intervals, and split their code into multiple files, researchers with antivirus provider Bitdefender reported. The apps also contain working code that does the things promised in the Google Play descriptions, giving them the appearance of legitimacy. In all, Bitdefender found 17 such apps with a combined 550,000 installations.
One of the apps Bitdefender analyzed was a racing simulator that also charged in-app fees for extra features. While it worked as advertised, it also aggressively displayed ads that drained batteries and sometimes prevented people from playing the game. After a four-hour waiting period, ad displays are generated using a random number (less than three) that was checked against a value. If the random number was equal to the value, an ad would appear.
The result: when a user unlocks an infected phone, there’s a one-in-three chance it will display an ad. The ad-showing mechanisms are also scattered within multiple activities and use modified adware developer kits. The randomness of the ad occurrences and display-time intervals further make it hard to notice patterns that might help identify the source. The app uses other tricks to make the displays unpredictable.
“Users see multiple ads either in-game when pressing different buttons or even if not in the app,” Tuesday’s report said. “The frequency at which ads appear while in the game depends on a random value. In half the cases, there is a probability that when using some game functionalities, an ad pop[s] up.”
The app also splits its contents into two resource files. The ad-serving code is found in the first one, while the working game code is found in the second. Bitdefender researchers wrote:
In terms of registered receivers, the first one is for android.intent.action.BOOT_COMPLETED. When the broadcast is received, the app will begin an activity, which starts a job scheduler for showing ads. The scheduled service starts after 10 minutes and shows an ad only once. The scheduler recreates itself by calling the method from the activity that created it initially, then starts again after 10 minutes.
Another receiver the app registers is for android.intent.action.USER_PRESENT. Whenever the user unlocks the device, if at least 4 hours have passed since the app installed it, there is a chance an ad will show. That’s because the ad displays are programmed by generating a random number of less than 3 that is checked against a value. If the number generated is equal to the check number, an ad appears. Therefore, the probability of displaying ads is once every three times the user unlocks the phone.
In all, Bitdefender found 17 apps that use the same tactics. They were downloaded a total of 550,000 times. At publication time, Google was in the process of removing the apps from Play. Google representatives didn’t immediately respond to an email seeking comment for this post. The apps are:
- Car Racing 2019
- 4K Wallpaper (Background 4K Full HD)
- Backgrounds 4K HD
- QR Code Reader & Barcode Scanner Pro
- File Manager Pro – Manager SD Card/Explorer
- VMOWO City: Speed Racing 3D
- Barcode Scanner
- Screen Stream Mirroring
- QR Code – Scan & Read a Barcode
- Period Tracker – Cycle Ovulation Women’s
- QR & Barcode Scan Reader
- Wallpapers 4K, Backgrounds HD
- Transfer Data Smart
- Explorer File Manager
- Today Weather Radar
- Mobnet.io: Big Fish Frenzy
- Clock LED
The following image, courtesy of Bitdefender, provides additional details:
Technically, the apps aren’t classified as malware because they limit their hidden functions to displaying ads. Given the battery drainage they cause and the potential that the developers may add new, more nefarious behaviors in updates, these apps should be uninstalled as soon as practical.