
Android Adware reappears on third party after being taken down from the Google play store
SonicWall Capture Labs Threat Research team has been observing Android adware that were available on the Google play store, they are now removed from the play store but are still being distributed via third-party platforms. Hidden Adware continuously shows advertisements, some of which contain download links and lead to false clicks, and users end up with unwanted applications.
Fig1:Application removed from Google Play Store
Fig2: Malicious applications available on third-party store
Infection Cycle:
After installation, the application changes its icon to a blank icon without a name, making it difficult for the user to identify which application is showing advertisements.
Fig3: Application icon change
Here <activity-alias> is used to change to a blank icon from the original icon and then launch the same application to perform Adware activities as shown in the below code snippet.
Fig4: Use of activity alias tag
After installation, multiple advertisements start showing with a long waiting time to close and this is a recurring action.
This adware pretends to be protecting from harmful applications and shows a constant message in the status bar to get the benefit of doubt and remains unidentified source of advertisement.
Fig6: Message in the status bar
Similarly to persuade as an optimizer application Adware shows a notification after every new application installation.
Fig7: Pop up after new application installation
Sensitive device information(IMEI number, location etc) accessed by adware is shown in below code snippet.
Fig8: Access device information
To check the resource utilization, we tested after the device factory reset and the battery usage as compared to other applications was very high due to a huge number of advertisements.
The problem caused by Adware:
- Difficult to identify and uninstall the application.
- Due to intensive resource usage device speed goes down and applications start crashing.
- The battery starts draining quickly.
- Leads to high internet usage.
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):
87fb25e1087b14c5da692667000f04615d90525277fcdc316ef7c6f0326c1bcf
b97b648b29f824a2abd3f84484249807ec00acb50d7aa914a059b34f6590a657
f68ca1129a5e57bdad18301100ee7a3f2ee3864362a9d939e78db09d8c10e6a2
87267d97fa3aa3eb55465021ad615ccf28b9f595053980f31ad804df49b2223c