Android Adware reappears on third party after being taken down from the Google play store
SonicWall Capture Labs Threat Research team has been observing Android adware that were available on the Google play store, they are now removed from the play store but are still being distributed via third-party platforms. Hidden Adware continuously shows advertisements, some of which contain download links and lead to false clicks, and users end up with unwanted applications.
Fig1:Application removed from Google Play Store
Fig2: Malicious applications available on third-party store
After installation, the application changes its icon to a blank icon without a name, making it difficult for the user to identify which application is showing advertisements.
Fig3: Application icon change
Here <activity-alias> is used to change to a blank icon from the original icon and then launch the same application to perform Adware activities as shown in the below code snippet.
Fig4: Use of activity alias tag
After installation, multiple advertisements start showing with a long waiting time to close and this is a recurring action.
This adware pretends to be protecting from harmful applications and shows a constant message in the status bar to get the benefit of doubt and remains unidentified source of advertisement.
Fig6: Message in the status bar
Similarly to persuade as an optimizer application Adware shows a notification after every new application installation.
Fig7: Pop up after new application installation
Sensitive device information(IMEI number, location etc) accessed by adware is shown in below code snippet.
Fig8: Access device information
To check the resource utilization, we tested after the device factory reset and the battery usage as compared to other applications was very high due to a huge number of advertisements.
The problem caused by Adware:
- Difficult to identify and uninstall the application.
- Due to intensive resource usage device speed goes down and applications start crashing.
- The battery starts draining quickly.
- Leads to high internet usage.
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):