Bitdefender discovered a malware campaign hitting mobile devices worldwide for over 6 months that pushed ads to Android devices with the aim of increasing revenue.
According to CSO Online, a report from Bitdefender notes that the threat actors involved can easily switch tactics to redirect users to other types of malware, such as banking trojans to steal login information. login, financial information, or ransomware
To date, Bitdefender has discovered more than 60,000 adware-infected Android apps and suspects many more. This malware has existed since at least October 2022, targeting users in the US, South Korea, Brazil, Germany, the UK, and France.
The threat actor uses third-party applications to distribute malware because it is not available in any official store. To convince users to download and install third-party apps, the malware operators hid the threat on highly sought-after items that people couldn’t see in official stores. In certain cases, these apps only copy apps published in the Google Play Store. Some types of apps mimicked by malware include jailbreak games, games with no lock, free VPNs, fake tutorials, ad-free YouTube/TikTok, cracked add-ons Lockers, PDF viewers, and even fake security programs.
Apps with malware behave like normal Android apps to install and prompt the user to click “Open” after installation. However, the malware does not configure itself to run automatically because that may require additional privileges. Once installed, the malware displays a message saying “app not available” to trick the user into thinking the malware doesn’t exist, but in fact, it has no icon in the launcher and the UTF-8 character in the label makes it harder to detect and uninstall
Once launched, the application will communicate with the attacker’s server and retrieve the ad URLs that will be displayed in the mobile browser or as a full-screen WebView ad.
It is known that this is just one of the recent cases involving Android applications containing malware. Last month, an Android spyware called SpinOK was discovered by cybersecurity company Doctor Web. This malware collects information about files stored on the device and can pass them on to malicious actors. It can also replace and upload clipboard content to a remote server. The Android apps that contain SpinOk feature spyware that has been installed more than 421 million times
