Android apps claiming to enhance the performance of a user’s phone actually contained the ability to download thousands of malware variants, researchers say.
Lurking in the Google Play Store since 2017—collectively downloaded more than 470,000 times—the applications posed as ways to increase device performance by cleaning or deleting files, but in reality covertly infected devices to conduct ad fraud, according to Trend Micro.
Experts from the cybersecurity company said the malicious apps could even attempt to compromise a user’s Facebook and Google login details.
“The cybercriminals behind this campaign can use the affected device to post fake positive reviews in favor of the malicious apps, as well as perform multiple ad fraud techniques by clicking on the ads that pop up [in the software when it is opened],” the team said.
By tracking infection numbers over the past three months, it is believed close to 2,500 users in the U.S. were affected by the software, which has now been scrubbed from the Google Play marketplace. A total of 48,557 devices were infected within the same period in Japan.
The identified apps were named as: Shoot Clean (10,000+installs), Super Clean Lite (50,000+ installs), Super Clean-Phone (100,000+ installs), Quick Games (100,000+ installs), Rocket Cleaner (100,000+ installs), Rocket Cleaner Lite (10,000+ installs), Speed Clean (100,000+ installs), LinkWorldVPN (1,000+) and H5 gamebox (1,000+ installs).
Using Speed Clean as an example, Trend Micro said it was found to establish a secret connection to download malware variants or payloads that facilitate ad fraud.
This will “simulate a user clicking on an ad that appears in one of the malicious apps,” generating money for the criminals. The apps exposed by the company were part of a “large number” of legitimate mobile ad platforms, including Google AdMob and Facebook Audience Network.
The booby-trapped cleaning app would try to trick a user into giving it access to full accessibility permissions. It urged them to turn off Google Play’s security features by pushing a warning to the device that read: “The phone is at risk, please open this access to ensure safe use.”
If clicked, it would mean the hackers could push more malware to the device, use the phone to post fake reviews of the malicious software on Play, and even associate the apps with a user’s Google and Facebook accounts, if those login details were saved on the smartphone.
It remains unknown who is behind the malware campaign, although the preliminary investigation suggested the operator, or team, may be based in China.
The researchers found the applications did not use any malicious functions if the user’s phone was geographically associated with the country. As noted by tech website Ars Technica, that is typically one indication that the developers did not wish to attract attention from local authorities.
“We tried modifying the geographic parameter value of the country code to any country code, or even random, non-existent country codes, and the remote ad configuration server consistently returned malicious content,” researchers explained in their analysis.
“When we modified the geographic parameter value to geo=cn (China), it didn’t return malicious content. It may indicate that the actors behind this campaign intentionally avoided requests from Chinese users. The campaign’s attack appears to exclude Chinese users.”
The team said Android users need to “do their due diligence” before downloading any mobile app from the Play Store, including checking reviews for suspicious activity. In this instance, the apps showed a plethora of reviews but each had the exact same wording, a major red flag.
The Android operating system is owned and developed by Google.