| Name | Glupteba |
| Additional Names | Glupteba dropper |
| Type of Malware | Trojan |
| Date of Initial Activity | 2017 |
| Motivation | Deliver advertising as its main monetization method |
| Attack Vectors | Installation of apps from unknown or unverified download sites, Exploitation of vulnerabilities, Being dropped or downloaded by another malware |
| Targeted System | Android |
Overview
Android malware which repackages legitimate apps and then releases them to a third-party store. Its main function is displaying ads, but it also can gain access to key security details built into the OS.
Targets
Attacked regular people.
Tools/ Techniques Used
Hiddad is presented as a YouTube downloading app and usually goes to market on Google Play labeled as Tube mate or Snap Tube. The apps distributing this malware all have lots of 5-star ratings from users – and show why it’s important to read the reviews and not just count the numbers of 5-star ratings.
Hiddad starts with a low-profile approach. When installing, all apps in the Hiddad family have the same name – “Music Mania” – and the same icon, with no requests for suspicious permissions. But, after clicking “Install” we can see another application called “plugin android” is requesting installation permission, and if we click next, we will see that it’s requesting device administrator privileges.
These applications force users into leaving 5-star ratings in order to remove ads from the app. Most of these apps do NOT remove ads after the 5-star rating is given. The malware uses different methods to display as many ads as possible to the user, including by installing new hidden adware.
By taking advantage of superuser rights, the malware can hide in the system folder, making it very difficult to delete.
Impact / Significant Attacks
It was first seen in 2017 and has since been used to target users in over 100 countries.
