Malwarebytes has identified four malicious apps on Google Play that direct users to sites that steal personal information or earn money for malware operators by clicking on advertisements. In addition, some sites offer victims to download fake antivirus solutions or updates, infecting devices with malware.
All 4 malicious apps are still on Google Play. They are released by a developer called Mobile apps Group, who previously built Trojans into their applications, after which they cut them out in order to be able to continue working on the site.
Here is a list of infected applications:
- Bluetooth Autoconnect (More than 1 million downloads);
- Driver: Bluetooth, Wi-Fi, USB (More than 10 thousand downloads);
- Bluetooth App (More than 50 thousand downloads);
- Mobile Transfer: smart switch (More than a thousand downloads).
Only Bluetooth Autoconnect has reviews, one of which states that ads automatically open browsers and prevent the app from being used. Other users claim that the application performs its tasks despite the adware.
By tracking app activity from the Mobile apps Group, Malwarebytes researchers found that apps have a 72-hour delay before they start showing ads or open a phishing link in the browser, after which they open new tabs with malicious content every two hours. Experts noted that new browser tabs open even if the device screen is locked.
Analysis of the Manifest file showed that the developer was trying to mask the action logs using the meaningless "sdfsdf" descriptor. And while this method works great against automated code scanners, it has helped researchers detect malicious activity.
Comments 0