Saturday, July 20, 2024

Over 60,000 Android Apps Silently Install Malware on Devices

Recently, cybersecurity researchers uncovered that over 60,000 Android applications had been stealthily disguised as genuine software for the past six months.

It has been identified that these malicious apps have been secretly implanting adware onto unsuspecting mobile devices without detection.

Utilizing an anomaly detection feature integrated into its Bitdefender Mobile Security software just a month ago, Bitdefender effectively identified the malicious apps.


The distribution of this campaign, suspected to have begun in October 2022, takes various forms, including:-

  • Fake security software
  • Fake game cracks
  • Fake cheats
  • Fake VPN software
  • Fake Netflix
  • Fake utility apps on third-party sites
  • Fake tutorials
  • YouTube/TikTok without ads
  • Fake videos

The malware strategically emerges when users search for apps, mods, cracks, and related materials, facilitating an organic distribution pattern. 

Notably, a growing and profitable market for modded apps leads to specialized websites entirely devoted to offering these enticing collections.

This malware campaign has targeted users from the following countries:-

  • The United States
  • South Korea
  • Brazil
  • Germany
  • The United Kingdom
  • France

The primary essence of modded apps lies in their ability to modify original applications, granting full access to their functionality or introducing programmed changes.

Installed and Evade Detection Stealthily

Google Play remains free from the clutches of malicious apps, as they prefer to reside on third-party websites discovered via Google Search, enticing users with APKs.

While browsing these sites, expect to be redirected to websites that showcase the advertisements or encounter prompts luring you to download the requested application.

According to the Bitdefender report, These download platforms are purposefully designed to function as distribution hubs for Android apps embedded with malicious code, capable of infecting Android devices with adware upon installation.

To avoid additional privileges, the app, after the installation, does not self-configure itself to initiate automatic execution.

Instead, it entirely depends on the regular installation procedure of the Android app, prompting users to manually ‘Open’ the app after installation.

Moreover, these apps deliberately avoid an icon and cleverly incorporate a UTF-8 character within the app’s label, intensifying their hiding and rendering them more challenging to identify.

This circumstance carries a dual nature, as it represents that if a user ignores to initiate the app post-installation, the probability of it being launched later declines.

After being launched, the app will promptly generate an error message, delivering the user with the following notification:-

“Application is not accessible in your region. Tap OK to uninstall.”

Android Apps Silently Install Malware

Despite appearances, the app does not uninstall itself; instead, it enters an inactive phase for two hours, during which it registers two ‘intents’ that trigger its launch upon device boot or unlocking.

Upon deployment, the application will establish a link to the servers that are under the control of the attacker. From these servers, it will start retrieving the advertisement URLs, which will be showcased within the:-

  • Mobile browser
  • Full-screen WebView ad

While the primary function of the malicious apps currently lies in exhibiting advertisements, the researchers caution that the threat actors can easily replace the adware URLs with websites of a more threatening nature.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security

Malicious Domains Detected

Here below, we have mentioned all the malicious domains that are detected:-

  • Konkfan[.]com
  • beahor[.]com
  • gogomeza[.]com
  • ehojam[.]com
  • adc-ad-assets.adtilt[.]com
  • adc3-launch.adcolony[.]com
  • auction-load.unityads.unity3d[.]com
  • config.unityads.unity3d[.]com
  • httpkafka.unityads.unity3d[.]com
  • pagead2.googlesyndication[.]com
  • publisher-config.unityads.unity3d[.]com
  • Wd.adcolony[.]com


Here below we have mentioned the IOCs:-

  • 53f3fbd3a816f556330d7a17bf27cd0d com.contec.aflwallpapers4k
  • a8b18a67256618cf9dcd433a04448a5b com.deadsimpleapps.all
  • 53406cc4b3ced24152860a7984d96dbf com.devindie.appfacil
  • c1d312818d07cddb76d2bece7ad43908
  • 4df8c05d0e323c5aeeb18c61e3c782c6
  • d6e33f7b6ff314e2b61f54434a77e8f0 stickers.russia2018
  • 8ec0432424da16eb8053453f0ce0731a net.playtouch.connectanimalsok
  • db9f921ccecdef6cd8fb7f5cb0a779d2 com.advfn. Android.ihubmobile
  • 1313fa114436229856797384230a0a73 com.deadsimpleapps.all
  • 3050f562374b275f843f6eb892d2f298 edu.cpcc.go
  • 400568ea7406f4d3704fb4c02682313a com.ik.class3pdf
  • 7a1efcc701f10d2eef08a4f4bcf16fc2 ir.amin.rostami
  • 84aed79a10dd21e0996e08ba0c206965
  • 4376ecd8add3622c2793239f658aa5e6 com.fhuchudev.apyarcardownload
  • 8fcc39166b1a8c29fba3f87307967718
  • b7fb1fa1738c5048cecbe73086823843 com.kacyano.megasena
  • fd37ff8ded80e9fe07004e201422a129 com.ikeyboard.theme.tiedye.neon.weed
  • ef83a9b6ffe20b3abdba08a6517b08f0 studio.harpreet.autorefreshanywebsite
  • 319421d550ff761aa4ac2639b3985377 com.mdpabhel.autowebpagereloader2022
  • 7e3fa8b054346c013a8148d76be81a48 uz.pdp.ussds11
  • 60bae94bfa0c79c19fcc19bc5a9fb8e6

Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles