Malicious actors managed to foil Google's Play Protect app vetting process and place numerous malicious apps into the store Sophos Labs by having them lay doggo before finally activating and bombarding the victim with unwanted ads.
Sophos Labs found the apps, now removed, were downloaded 500,000 times and were obfuscated from both Google and the public by using three relatively simple steps. All were legitimate in the sense that they functioned properly, six were QR code readers and another a compass, thus making it hard for the average person to determine they were dangerous. Secondly, the malware did not activate for several hours after being downloaded which could make it hard for the user to determine exactly what was causing all the ads to appear on their phone.
The third stage is what helped push the apps through the vetting process.
“The adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app. By adding an innocent-looking “graphics” subcomponent to a collection of programming routines that you'd expect to find in a regular Android program, the adware engine inside the app is effectively hiding in plain sight,” Sophos said.
Besides bombarding the victim with ads the malware can send clickable alerts to the device possibly generating extra ad revenue for the criminals.
Once loaded onto a device the app kicks into operation. Here it downloads a Google ad unit ID, A list of URLs to open in your browser to push the ads, a list of messages, icons and links to use in the notifications and finally a time to begin operation.
The nasty behavior begins slowly, but after six hours the victim can look forward to a steady stream of full screen ads, sending notifications and ad-related web pages. This happens even if the malicious QR code or compass app is closed.
The apps have been pulled from Google Play.