Over 60,000 Android Apps Silently Install Malware on Devices

Recently, cybersecurity researchers uncovered that over 60,000 Android applications had been stealthily disguised as genuine software for the past six months.

It has been identified that these malicious apps have been secretly implanting adware onto unsuspecting mobile devices without detection.

Utilizing an anomaly detection feature integrated into its Bitdefender Mobile Security software just a month ago, Bitdefender effectively identified the malicious apps.

Distribution

The distribution of this campaign, suspected to have begun in October 2022, takes various forms, including:-

  • Fake security software
  • Fake game cracks
  • Fake cheats
  • Fake VPN software
  • Fake Netflix
  • Fake utility apps on third-party sites
  • Fake tutorials
  • YouTube/TikTok without ads
  • Fake videos

The malware strategically emerges when users search for apps, mods, cracks, and related materials, facilitating an organic distribution pattern. 

Notably, a growing and profitable market for modded apps leads to specialized websites entirely devoted to offering these enticing collections.

This malware campaign has targeted users from the following countries:-

  • The United States
  • South Korea
  • Brazil
  • Germany
  • The United Kingdom
  • France

The primary essence of modded apps lies in their ability to modify original applications, granting full access to their functionality or introducing programmed changes.

Installed and Evade Detection Stealthily

Google Play remains free from the clutches of malicious apps, as they prefer to reside on third-party websites discovered via Google Search, enticing users with APKs.

While browsing these sites, expect to be redirected to websites that showcase the advertisements or encounter prompts luring you to download the requested application.

According to the Bitdefender report, These download platforms are purposefully designed to function as distribution hubs for Android apps embedded with malicious code, capable of infecting Android devices with adware upon installation.

To avoid additional privileges, the app, after the installation, does not self-configure itself to initiate automatic execution.

Instead, it entirely depends on the regular installation procedure of the Android app, prompting users to manually ‘Open’ the app after installation.

Moreover, these apps deliberately avoid an icon and cleverly incorporate a UTF-8 character within the app’s label, intensifying their hiding and rendering them more challenging to identify.

This circumstance carries a dual nature, as it represents that if a user ignores to initiate the app post-installation, the probability of it being launched later declines.

After being launched, the app will promptly generate an error message, delivering the user with the following notification:-

“Application is not accessible in your region. Tap OK to uninstall.”

Despite appearances, the app does not uninstall itself; instead, it enters an inactive phase for two hours, during which it registers two ‘intents’ that trigger its launch upon device boot or unlocking.

Upon deployment, the application will establish a link to the servers that are under the control of the attacker. From these servers, it will start retrieving the advertisement URLs, which will be showcased within the:-

  • Mobile browser
  • Full-screen WebView ad

While the primary function of the malicious apps currently lies in exhibiting advertisements, the researchers caution that the threat actors can easily replace the adware URLs with websites of a more threatening nature.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security

Malicious Domains Detected

Here below, we have mentioned all the malicious domains that are detected:-

  • Konkfan[.]com
  • beahor[.]com
  • gogomeza[.]com
  • kenudo.net
  • ehojam[.]com
  • adc-ad-assets.adtilt[.]com
  • adc3-launch.adcolony[.]com
  • adservice.google[.]com
  • auction-load.unityads.unity3d[.]com
  • config.unityads.unity3d[.]com
  • googleads.g.doubleclick.net
  • httpkafka.unityads.unity3d[.]com
  • pagead2.googlesyndication[.]com
  • publisher-config.unityads.unity3d[.]com
  • Wd.adcolony[.]com

IOCs

Here below we have mentioned the IOCs:-

  • 53f3fbd3a816f556330d7a17bf27cd0d com.contec.aflwallpapers4k
  • a8b18a67256618cf9dcd433a04448a5b com.deadsimpleapps.all
  • 53406cc4b3ced24152860a7984d96dbf com.devindie.appfacil
  • c1d312818d07cddb76d2bece7ad43908 book.com.ram.app
  • 4df8c05d0e323c5aeeb18c61e3c782c6 com.alamincarectg.app
  • d6e33f7b6ff314e2b61f54434a77e8f0 stickers.russia2018
  • 8ec0432424da16eb8053453f0ce0731a net.playtouch.connectanimalsok
  • db9f921ccecdef6cd8fb7f5cb0a779d2 com.advfn. Android.ihubmobile
  • 1313fa114436229856797384230a0a73 com.deadsimpleapps.all
  • 3050f562374b275f843f6eb892d2f298 edu.cpcc.go
  • 400568ea7406f4d3704fb4c02682313a com.ik.class3pdf
  • 7a1efcc701f10d2eef08a4f4bcf16fc2 ir.amin.rostami
  • 84aed79a10dd21e0996e08ba0c206965 com.alamincarectg.app
  • 4376ecd8add3622c2793239f658aa5e6 com.fhuchudev.apyarcardownload
  • 8fcc39166b1a8c29fba3f87307967718 book.com.ram.app
  • b7fb1fa1738c5048cecbe73086823843 com.kacyano.megasena
  • fd37ff8ded80e9fe07004e201422a129 com.ikeyboard.theme.tiedye.neon.weed
  • ef83a9b6ffe20b3abdba08a6517b08f0 studio.harpreet.autorefreshanywebsite
  • 319421d550ff761aa4ac2639b3985377 com.mdpabhel.autowebpagereloader2022
  • 7e3fa8b054346c013a8148d76be81a48 uz.pdp.ussds11
  • 60bae94bfa0c79c19fcc19bc5a9fb8e6 com.alamincarectg.app
Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Next.js Vulnerability Let Attackers Bypass Authentication

A high-severity vulnerability has been discovered in the popular web framework, Next.js, which allows attackers…

14 minutes ago

CISA Issues Secure Practices for Cloud Services To Strengthen U.S Federal Agencies

In a decisive move to bolster cloud security, the Cybersecurity and Infrastructure Security Agency (CISA)…

50 minutes ago

Fortinet Critical Vulnerabilitiy Let Attackers Inject Commands Remotely

Fortinet, a global leader in cybersecurity solutions, has issued an urgent security advisory addressing two…

2 hours ago

Critical Chrome Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Google has released a new security update on the Stable channel, bringing Chrome to version 131.0.6778.204/.205…

3 hours ago

CISA Released Secure Mobile Communication Best Practices – 2025

The Cybersecurity and Infrastructure Security Agency (CISA) has released new best practice guidance to safeguard…

3 hours ago

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

21 hours ago