Bitdefender has made a concerning revelation, uncovering over 60,000 Android apps in the last six months that install adware on Android devices.
By leveraging advanced anomaly detection technology, Bitdefender Mobile Security successfully detected the hidden adware campaign.
The analysis revealed that the adware was aggressively pushing itself onto Android devices to generate revenue, but the threat actors behind it could easily switch tactics to redirect users to more harmful forms of malware, such as banking Trojans or ransomware. Bitdefender has already discovered 60,000 distinct samples carrying the adware, with suspicions of many more lurking in the wild.
The adware predominantly targeted users in the United States (55.27%), followed by South Korea, Brazil, and Germany. The malicious apps were distributed through deceptive methods, posing as game cracks, unlocked features, free VPNs, fake videos, and counterfeit tutorials for popular platforms like Netflix, YouTube, and TikTok. These apps were hosted on third-party websites, as researchers did not find the same adware hidden in apps on Google Play.
Victims stumbled upon these malicious apps through Google searches, which redirected them to dedicated websites designed to distribute these packages.
To ensure persistence and elude detection, the adware employed various techniques. Since API 30, Google has eliminated the ability to hide the app icon on Android after the launcher is registered. However, if the app doesn’t register the launcher and relies on user interaction for the initial run, it can hide the app icon.
After installation, the app presents an “application is unavailable” message, leading the user to believe it was never installed. It lacks an icon in the launcher and utilizes a UTF-8 character in the label, making it harder to identify and uninstall.
Despite the appearance of an uninstall prompt, tapping “OK to uninstall” keeps the app dormant for two hours before registering intents to launch at boot or when the user interacts with the device, such as unlocking the phone.
Once the malicious app is launched, it retrieves an advertisement URL from the server and employs the mobile browser to load the ad, sometimes as a full-screen WebView ad. Bitdefender has provided Indicators of Compromise (IoCs) for this campaign, assisting users and security professionals in detecting and mitigating this adware threat.
These findings highlight the need for robust security measures and vigilance when downloading apps outside of trusted sources to protect against increasingly sophisticated threats targeting Android devices.
