Researchers discovered over 100 malicious apps from Google play store that downloaded by more than 4.6 android users around the globe.
Most of the malicious apps are commits ad fraud, and the app malicious apps are using the same common code package dubbed “Soraka” (com.android.sorakalibrary.*).
“GBHackers on Security” reported several adware incidents in the past few months, and it’s rapidly growing to exclusively target the Android users to generate millions of dollars revenue.
Malware, Spyware, and Adware can accompany them, become a parasite in user’s systems resulting in unnecessary disruptions, and breaches of the personal data in your Android devices.
In addition to the Soraka code package, Researchers also discovered, in some of the apps, a variant with similar functionality which we dubbed “Sogo” (com.android.sogolibrary.*):
Some of The Malicious Apps Activities
An app called “Best Fortune Explorer App” published under the publisher JavierGentry80 commits to various malicious activities, including trick users to click the ads to generating revenue.
This apps contains more than 170,000 downloads with no Anti-Virus (AV) detections on VirusTotal.
Adware’s performing several filters the following code checks before a fraudulent ad
- Screen On
- TopActivity
- Interval since installation
- Trigger on/off switches
- Ad Network daily count limit
- Trigger time interval (to space out the ad rendering for each trigger)
Sophisticated filter mechanism helps attackers to avoid detection from automated analysis .
In the ad fraud activities, Upon unlocking the device, the app code removes the background notification service that halts all fraud activity while the phone screen is off and the first Out-of-Context (OOC) ad is rendered a couple of seconds after the device is unlocked.
Attackers using Java-based persistence mechanisms to maintain persistence in the infected Android device.
“This mechanism also allows fine-grain control of who (or what) receives the ad fraud, using the controls of ad serving platforms. The apps render out-of-context ads when the filter conditions are appropriate.”
The White Ops Threat Intelligence team said that they continue to monitor these packages and will identify any emerging packages.
We recommend the removal of any apps listed in the Indicators of Compromise
Package Name:
| art.photo.editor.best.hot |
| bedtime.reminder.lite.sleep |
| com.am.i.the.best.friends.hh |
| com.appodeal.test |
| com.beauty.mirror.lite |
| com.bedtimehelper.android |
| com.bkkmaster.android |
| com.calculator.game |
| com.card.life |
| com.cartoon.camera.pro.android |
| com.code.identifier.android |
| com.code.recognizer.android |
| com.color.spy.game |
| com.cute.kittens.puzzlegame.android |
| com.cute.love.test.android |
| com.daily.wonderfull.moment |
| com.dailycostmaster.android |
| com.dangerous.writing.note |
| com.data.securite.data |
| com.days.daysmatter365.android |
| com.days.remind.calendar |
| com.detector.noise.tool |
| com.dodge.emoji.game |
| com.dog.bark.picture.puzzle |
| com.drink.water.remind.you |
| com.ezzz.fan.sleep.noise |
| com.fake.call.girlfriend.prank2019 |
| com.fakecaller.android |
| com.fake.caller.plus |
| com.false.location |
| com.fancy.lovetest.android |
| com.fast.code.scanner.nmd |
| com.filemanagerkilopro.android |
| com.filemanagerupro.android |
| com.filemanageryo.android |
| com.filemanagerzeropro.android |
| com.find.difference.detective.little |
| com.find.you.lover.test |
| com.frame.easy.phone |
| com.frank.video.call.lite |
| com.free.code.scanner.nmd |
| com.free.lucky.prediction.test |
| com.funny.lie.truth.detector |
| com.funny.word.game.english |
| com.game.color.hunter |
| com.ice.survival.berg |
| com.idays.dayscounter.android |
| com.important.days.matter |
| com.instanomo.android |
| com.isleep.cycleclock.android |
| com.led.color.light.rolling |
| com.lite.fake.gps.location |
| com.lovetest.plus.android |
| com.love.yourself.women |
| com.lucky.charm.text |
| com.lucky.destiny.teller |
| com.magnifying.glass.tool |
| com.math.braingame.puzzle.riddle |
| com.math.iq.puzzle.riddle.braingame |
| com.math.puzzles.riddle.braingame |
| com.multiple.scanner.plus.nmd |
| com.my.big.days.counter |
| com.my.constellation.love.work |
| com.my.pocker.mobile.mirror |
| com.nanny.tool.data |
| com.nice.mobile.mirror.hd |
| com.nomophotoeditor.android |
| com.non.stop.writing |
| com.phone.lite.frame |
| com.phone.mirror.pro |
| com.pocker.pro.mobile.mirror |
| com.prank.call.fake.ring |
| com.phonecallmaker.android |
| com.pro.test.noise |
| com.puzzle.cute.dog.android |
| com.scan.code.tool |
| com.simple.days.counter |
| com.sleep.comfortable.sounds |
| com.sleep.in.rain |
| com.sleepassistantool.android |
| com.sleeptimer.android |
| com.smart.scanner.master.nmd |
| com.test.find.your.love |
| com.test.fortune.tester |
| com.test.lover.match |
| com.tiny.scanner.tool.nmd |
| com.wmmaster.android |
| com.word.fun.level.english |
| good.lucky.is.coming.hh |
| mobi.clock.android |
| my.lucky.goddness.today.test |
| newest.android.fake.location.changer |
| nmd.andriod.better.calculator.plus |
| nmd.andriod.mobile.calculator.master |
| nmd.android.best.fortune.explorer |
| nmd.android.better.fortune.signs |
| nmd.android.clam.white.noise |
| nmd.android.fake.incoming.call |
| nmd.android.good.luck.everyday |
| nmd.android.location.faker.master |
| nmd.android.multiple.fortune.test |
| nmd.android.scanner.master.plus |
| nmd.android.test.what.suitable |
| photo.editor.pro.magic |
| pic.art.photo.studio.picture |
| relax.ezzz.sleep.cradle |
| super.lucky.magican.newest |
| test.you.romantic.quize |
| well.sleep.guard.relax |
| your.best.lucky.master.test.new |
| com.ssdk.test |
| bedtime.reminder.lite.sleep |
| com.frank.video.call.lite.pro.prank |
| com.personal.fortune.text |
| com.daily.best.suit.you |
| com.false.call.trick |
