Recently, cybersecurity researchers uncovered that over 60,000 Android applications had been stealthily disguised as genuine software for the past six months.
It has been identified that these malicious apps have been secretly implanting adware onto unsuspecting mobile devices without detection.
Utilizing an anomaly detection feature integrated into its Bitdefender Mobile Security software just a month ago, Bitdefender effectively identified the malicious apps.
The distribution of this campaign, suspected to have begun in October 2022, takes various forms, including:-
The malware strategically emerges when users search for apps, mods, cracks, and related materials, facilitating an organic distribution pattern.
Notably, a growing and profitable market for modded apps leads to specialized websites entirely devoted to offering these enticing collections.
This malware campaign has targeted users from the following countries:-
The primary essence of modded apps lies in their ability to modify original applications, granting full access to their functionality or introducing programmed changes.
Google Play remains free from the clutches of malicious apps, as they prefer to reside on third-party websites discovered via Google Search, enticing users with APKs.
While browsing these sites, expect to be redirected to websites that showcase the advertisements or encounter prompts luring you to download the requested application.
According to the Bitdefender report, These download platforms are purposefully designed to function as distribution hubs for Android apps embedded with malicious code, capable of infecting Android devices with adware upon installation.
To avoid additional privileges, the app, after the installation, does not self-configure itself to initiate automatic execution.
Instead, it entirely depends on the regular installation procedure of the Android app, prompting users to manually ‘Open’ the app after installation.
Moreover, these apps deliberately avoid an icon and cleverly incorporate a UTF-8 character within the app’s label, intensifying their hiding and rendering them more challenging to identify.
This circumstance carries a dual nature, as it represents that if a user ignores to initiate the app post-installation, the probability of it being launched later declines.
After being launched, the app will promptly generate an error message, delivering the user with the following notification:-
“Application is not accessible in your region. Tap OK to uninstall.”
Despite appearances, the app does not uninstall itself; instead, it enters an inactive phase for two hours, during which it registers two ‘intents’ that trigger its launch upon device boot or unlocking.
Upon deployment, the application will establish a link to the servers that are under the control of the attacker. From these servers, it will start retrieving the advertisement URLs, which will be showcased within the:-
While the primary function of the malicious apps currently lies in exhibiting advertisements, the researchers caution that the threat actors can easily replace the adware URLs with websites of a more threatening nature.
Here below, we have mentioned all the malicious domains that are detected:-
Here below we have mentioned the IOCs:-
A high-severity vulnerability has been discovered in the popular web framework, Next.js, which allows attackers…
In a decisive move to bolster cloud security, the Cybersecurity and Infrastructure Security Agency (CISA)…
Fortinet, a global leader in cybersecurity solutions, has issued an urgent security advisory addressing two…
Google has released a new security update on the Stable channel, bringing Chrome to version 131.0.6778.204/.205…
The Cybersecurity and Infrastructure Security Agency (CISA) has released new best practice guidance to safeguard…
The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …