A new report from security firm Avast out this morning reveals the discovery of a new form of malware on the Google Play store, which begins to display advertisements disguised as warning messages to end users when they unlock their Android smartphones. What’s interesting about this malware – or adware, as it’s better known – is that some of the applications where it was discovered already have a large number of installs. For instance, a card game app called Durak has 5 to 10 million installs, according to the data on Google Play.
Explains Avast researcher Filip Chytry, the malware was first brought to the company’s attention by way of a comment on the Avast forums, and, initially, he didn’t think much of it.
However, when he examined it further, he realized that the apps where the malware was found actually have a fairly large target audience. The apps are available in English-speaking countries and in other language versions as well, and have been downloaded by millions of users, assuming Google Play’s own data on app installs is accurate.
In addition to the card game, other apps, including an IQ test and a history app, were also found to be infected. The apps are from different developers, but each has the same malicious software installed. The original commenter on Avast’s forums said he found the malware in a dozen infected applications and pointed to several more.
Avast says it has analyzed the three mentioned here, and is currently researching more apps that behave similarly right now. That means that the adware which already has an install base of millions, may actually be even larger still.
The video below shows what it looks like when the phone becomes infected:
The apps are fairly clever about how they display the advertisements, too. Instead of beginning to show ads immediately after installation, they wait for several days. In some cases, the ads didn’t appear until after the app had been on the phone for a month.
“After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right?” writes Chytry.
The ads also don’t begin showing up until you’ve rebooted your device at least once, he notes. Afterwards, the ads will appear each time the end user unlocks their phone, presenting warnings saying that your device is infected or “out of date” or is full of porn. The user is then asked to take some action, but is instead redirected to downloads of other malware-laden apps, including those that send premium SMSes or those that collect a ton of personal data.
Oddly, users were also sometimes pointed to mobile antivirus apps on Google Play – some from legitimate companies. For instance, antivirus provider Quihoo 360 was one of the targets. It’s not likely that these companies are marketing their services via adware, however. It’s more probable that the malware authors are benefitting from some sort of referral scheme.
Avast tells us that they’re now in touch with the antivirus company which was receiving the redirects, and that company is currently investigating the situation.
Obviously, using the Google Play Store to distribute malware is a violation of Google’s Terms of Service. We’ve reached out to Google to ask if it was aware of the problem Avast uncovered, and if it will investigate or ban the apps and the developers from its app store. We will update this post if and when Google responds.
Update (6 p.m. ET): Google says the apps mentioned in the report are now suspended.
Update 2 (8:45 p.m. ET): Qihoo 360 confirms the adware placement occurred through a referral scheme. The company states that “We immediately stopped working with the publisher and are further looking into this to ensure continued trust in our product and brand.”