Three applications on Google Play combine three deception techniques to disguise their actions while running in the background, according to a blog post from Symantec.
The apps "use delayed attacks, self-naming tricks, and an attack list dictated by a command-and-control server to click on ads in the background without the user's knowledge," the post stated.
While the Symantec researchers reported that the strategies are "relatively common," the bundle, dubbed Android.Fakeapp, is unique, they said.
Symantec recommends users follow these best practices to stay protected from mobile threats:
The apps were downloaded tens of thousands of times, according to Google Play.
The apps come under the guise of one name on the home screen but, in fact, have a different process name, enabling it to hide by deleting itself from the launcher.
Once a device is infected, the malware receives commands from remote servers to deploy and can begin clicking on ads in the background, earning the attackers money – all without the device owner's knowledge. The malware can even be updated with new configurations to increase revenue for the attacker.
Because the app comes with a delay mechanism, victims might attribute their phone's behavior to another app installed subsequently. The strategy also disguises the app from AV programs using dynamic analysis as "the delay often leads to dynamic analysis exiting before it detects the threat," the report explained.
Further, the apps can request Device Administrator privileges from the device owner. Should a user be duped into clicking on "OK," the app is further disguised and rendered harder to disable.
When queried about what distinguishes this adware from previous iterations, Brian Ewell, principal security response manager at Symantec told SC Media on Wednesday that this particular malware shouldn't be classified as adware – a program responsible for presenting the viewer with ads to encourage clicks – but rather an adclicker, which is a program responsible for clicking on ads that are not presented to the viewer at all.
"The former would earn income if the end-user clicks on the ad whereas the latter automatically generates income for the attacker since it's providing the clicks without input," he explained.
The delivery method isn't new, Ewell pointed out, as it's distributed by download from an app store. "But the combination of malicious functionality involved hasn't necessarily been seen before," he said. "Combining multiple functions to perform the malicious activity may allow them to gain a foothold, but that's bound to be short-lived. In order to bypass increasingly effective device security countermeasures, these coders would need to be persistent and find new ways to re-invent their approach or else they will fall behind."
As far as how the malware changes, the code itself doesn't change, Shaun Aimoto, principal SQA engineer at Symantec, told SC Media on Wednesday. "But the config file received from the command-and-control server can have the malware modify the amount of time it lays dormant as well as which ads it targets for clicking in the background."