Researchers recently uncovered 49 adware-laced Android apps that were downloaded from the Google Play store more than 3 million times, collectively, before they were reportedly removed.
Many of the apps were disguised as games, video editors and stylized photo and filter programs. Sample titles included Cut Out Studio Pro, Tattoo Maker, Bubble Effect, CLOWN MASK, Magazine Cover Studio and Music Video Maker.
Users who downloaded the apps have complained in reviews of repeated and intrusive full-screen pop-up ads, as well as ads that pop up when users either click or unlock the screen, according to a Nov. 7 Trend Micro blog post written by company researcher Jessie Huang. Moreover the adware registers itself as a foreground service so it can run whether or not the device owner is actively using the downloaded app.
“The continuous display of ads popping up will consume the battery of the phone, which is an issue that has been around for years,” Huang states in the blog post. “And it will also affect the memory: Since the running process is considered a foreground service, the system sees it as something the user is actively aware of and will not terminate it even if the device is low on memory.”
The adware also plasters the home screen with multiple shortcuts that look like the icon for the Chrome browser. Meanwhile, the actual adware icon remains hidden.
Clicking on the fake icon opens a blank web page that gets refreshes into — you guessed it — another full-screen ad. Clicking the “Recent Screen” button to determine where the ad came from yields no satisfaction, Trend Micro reports, because no information is visibly displayed.
“Deleting the fake browser shortcuts seen on the screen will not delete the app; instead, the user has to go to the phone settings and find the app in the applications section to uninstall it,” Huang explains.
Making matters worse, the ads are difficult to escape from, as they can be closed only by clicking the “back” or “home key. And to avoid detection, the adware uses heavily obfuscated code, and upon installation it delays its malicious activity for a time so that users don’t suspect that the app they just installed is responsible for their sudden influx of advertisements.