Saturday, November 23, 2024
HomeAndroidOver 60,000 Android Apps Silently Install Malware on Devices

Over 60,000 Android Apps Silently Install Malware on Devices

Published on

Recently, cybersecurity researchers uncovered that over 60,000 Android applications had been stealthily disguised as genuine software for the past six months.

It has been identified that these malicious apps have been secretly implanting adware onto unsuspecting mobile devices without detection.

Utilizing an anomaly detection feature integrated into its Bitdefender Mobile Security software just a month ago, Bitdefender effectively identified the malicious apps.

- Advertisement - SIEM as a Service

Distribution

The distribution of this campaign, suspected to have begun in October 2022, takes various forms, including:-

  • Fake security software
  • Fake game cracks
  • Fake cheats
  • Fake VPN software
  • Fake Netflix
  • Fake utility apps on third-party sites
  • Fake tutorials
  • YouTube/TikTok without ads
  • Fake videos

The malware strategically emerges when users search for apps, mods, cracks, and related materials, facilitating an organic distribution pattern. 

Notably, a growing and profitable market for modded apps leads to specialized websites entirely devoted to offering these enticing collections.

This malware campaign has targeted users from the following countries:-

  • The United States
  • South Korea
  • Brazil
  • Germany
  • The United Kingdom
  • France

The primary essence of modded apps lies in their ability to modify original applications, granting full access to their functionality or introducing programmed changes.

Installed and Evade Detection Stealthily

Google Play remains free from the clutches of malicious apps, as they prefer to reside on third-party websites discovered via Google Search, enticing users with APKs.

While browsing these sites, expect to be redirected to websites that showcase the advertisements or encounter prompts luring you to download the requested application.

According to the Bitdefender report, These download platforms are purposefully designed to function as distribution hubs for Android apps embedded with malicious code, capable of infecting Android devices with adware upon installation.

To avoid additional privileges, the app, after the installation, does not self-configure itself to initiate automatic execution.

Instead, it entirely depends on the regular installation procedure of the Android app, prompting users to manually ‘Open’ the app after installation.

Moreover, these apps deliberately avoid an icon and cleverly incorporate a UTF-8 character within the app’s label, intensifying their hiding and rendering them more challenging to identify.

This circumstance carries a dual nature, as it represents that if a user ignores to initiate the app post-installation, the probability of it being launched later declines.

After being launched, the app will promptly generate an error message, delivering the user with the following notification:-

“Application is not accessible in your region. Tap OK to uninstall.”

Android Apps Silently Install Malware

Despite appearances, the app does not uninstall itself; instead, it enters an inactive phase for two hours, during which it registers two ‘intents’ that trigger its launch upon device boot or unlocking.

Upon deployment, the application will establish a link to the servers that are under the control of the attacker. From these servers, it will start retrieving the advertisement URLs, which will be showcased within the:-

  • Mobile browser
  • Full-screen WebView ad

While the primary function of the malicious apps currently lies in exhibiting advertisements, the researchers caution that the threat actors can easily replace the adware URLs with websites of a more threatening nature.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security

Malicious Domains Detected

Here below, we have mentioned all the malicious domains that are detected:-

  • Konkfan[.]com
  • beahor[.]com
  • gogomeza[.]com
  • kenudo.net
  • ehojam[.]com
  • adc-ad-assets.adtilt[.]com
  • adc3-launch.adcolony[.]com
  • adservice.google[.]com
  • auction-load.unityads.unity3d[.]com
  • config.unityads.unity3d[.]com
  • googleads.g.doubleclick.net
  • httpkafka.unityads.unity3d[.]com
  • pagead2.googlesyndication[.]com
  • publisher-config.unityads.unity3d[.]com
  • Wd.adcolony[.]com

IOCs

Here below we have mentioned the IOCs:-

  • 53f3fbd3a816f556330d7a17bf27cd0d com.contec.aflwallpapers4k
  • a8b18a67256618cf9dcd433a04448a5b com.deadsimpleapps.all
  • 53406cc4b3ced24152860a7984d96dbf com.devindie.appfacil
  • c1d312818d07cddb76d2bece7ad43908 book.com.ram.app
  • 4df8c05d0e323c5aeeb18c61e3c782c6 com.alamincarectg.app
  • d6e33f7b6ff314e2b61f54434a77e8f0 stickers.russia2018
  • 8ec0432424da16eb8053453f0ce0731a net.playtouch.connectanimalsok
  • db9f921ccecdef6cd8fb7f5cb0a779d2 com.advfn. Android.ihubmobile
  • 1313fa114436229856797384230a0a73 com.deadsimpleapps.all
  • 3050f562374b275f843f6eb892d2f298 edu.cpcc.go
  • 400568ea7406f4d3704fb4c02682313a com.ik.class3pdf
  • 7a1efcc701f10d2eef08a4f4bcf16fc2 ir.amin.rostami
  • 84aed79a10dd21e0996e08ba0c206965 com.alamincarectg.app
  • 4376ecd8add3622c2793239f658aa5e6 com.fhuchudev.apyarcardownload
  • 8fcc39166b1a8c29fba3f87307967718 book.com.ram.app
  • b7fb1fa1738c5048cecbe73086823843 com.kacyano.megasena
  • fd37ff8ded80e9fe07004e201422a129 com.ikeyboard.theme.tiedye.neon.weed
  • ef83a9b6ffe20b3abdba08a6517b08f0 studio.harpreet.autorefreshanywebsite
  • 319421d550ff761aa4ac2639b3985377 com.mdpabhel.autowebpagereloader2022
  • 7e3fa8b054346c013a8148d76be81a48 uz.pdp.ussds11
  • 60bae94bfa0c79c19fcc19bc5a9fb8e6 com.alamincarectg.app
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...