Android Adware reappears on third party after being taken down from the Google play store
SonicWall Capture Labs Threat Research team has been observing Android adware that were available on the Google play store, they are now removed from the play store but are still being distributed via third-party platforms. Hidden Adware continuously shows advertisements, some of which contain download links and lead to false clicks, and users end up with unwanted applications.
Fig2: Malicious applications available on third-party store
After installation, the application changes its icon to a blank icon without a name, making it difficult for the user to identify which application is showing advertisements.
Fig3: Application icon change
Here <activity-alias> is used to change to a blank icon from the original icon and then launch the same application to perform Adware activities as shown in the below code snippet.
After installation, multiple advertisements start showing with a long waiting time to close and this is a recurring action.
This adware pretends to be protecting from harmful applications and shows a constant message in the status bar to get the benefit of doubt and remains unidentified source of advertisement.
Similarly to persuade as an optimizer application Adware shows a notification after every new application installation.
Sensitive device information(IMEI number, location etc) accessed by adware is shown in below code snippet.
To check the resource utilization, we tested after the device factory reset and the battery usage as compared to other applications was very high due to a huge number of advertisements.
The problem caused by Adware:
- Difficult to identify and uninstall the application.
- Due to intensive resource usage device speed goes down and applications start crashing.
- The battery starts draining quickly.
- Leads to high internet usage.
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):