ESET researchers found 42 apps containing adware, which they say have been downloaded over 8 million times since they first debuted in July 2018.
These apps look normal but act sneakily. Once an unsuspecting user installs an adware-infected app, the app will serve full-screen ads on the device’s display at semi-random intervals. Often the apps will delete their shortcut icon, making it more difficult to remove. The adware-infected apps will also mimic Facebook and Google’s apps to avoid suspicion, likely as a way to detract from the actual ad-serving app and to keep the app the device for as long as possible.
In the background, the apps were also sending back data about the user’s device — including if certain apps are installed and if the device allows apps from non-app store sources — which could be used to install more malicious software on a device.
“The adware functionality is the same in all the apps we analyzed,” said Lukas Stefanko, one of ESET’s security researchers.
The researchers also found that the apps would check to see if an affected device was connected to Google’s servers in an effort to prevent detection. If the apps think they are being tested by Google Play’s security mechanisms, which ostensibly keep the app store free from malicious apps, the adware payload will not be triggered.
Some of those apps include Video Downloader Master, which had five million downloads; and Ringtone Maker Pro, SaveInsta and Tank Classic, which had 500,000 downloads each.
The researchers say a Vietnamese college student may be behind the adware campaign.
Google removed all of the offending apps but the researchers warned that many were still available from third-party app stores. A spokesperson confirmed all of the apps have been removed, but the search and mobile giant does not usually comment beyond acknowledging their removal.