Over 60,000 Android Apps Silently Install Malware on Devices

Recently, cybersecurity researchers uncovered that over 60,000 Android applications had been stealthily disguised as genuine software for the past six months.

It has been identified that these malicious apps have been secretly implanting adware onto unsuspecting mobile devices without detection.

Utilizing an anomaly detection feature integrated into its Bitdefender Mobile Security software just a month ago, Bitdefender effectively identified the malicious apps.


The distribution of this campaign, suspected to have begun in October 2022, takes various forms, including:-

  • Fake security software
  • Fake game cracks
  • Fake cheats
  • Fake VPN software
  • Fake Netflix
  • Fake utility apps on third-party sites
  • Fake tutorials
  • YouTube/TikTok without ads
  • Fake videos

The malware strategically emerges when users search for apps, mods, cracks, and related materials, facilitating an organic distribution pattern. 

Notably, a growing and profitable market for modded apps leads to specialized websites entirely devoted to offering these enticing collections.

This malware campaign has targeted users from the following countries:-

  • The United States
  • South Korea
  • Brazil
  • Germany
  • The United Kingdom
  • France

The primary essence of modded apps lies in their ability to modify original applications, granting full access to their functionality or introducing programmed changes.

Installed and Evade Detection Stealthily

Google Play remains free from the clutches of malicious apps, as they prefer to reside on third-party websites discovered via Google Search, enticing users with APKs.

While browsing these sites, expect to be redirected to websites that showcase the advertisements or encounter prompts luring you to download the requested application.

According to the Bitdefender report, These download platforms are purposefully designed to function as distribution hubs for Android apps embedded with malicious code, capable of infecting Android devices with adware upon installation.

To avoid additional privileges, the app, after the installation, does not self-configure itself to initiate automatic execution.

Instead, it entirely depends on the regular installation procedure of the Android app, prompting users to manually ‘Open’ the app after installation.

Moreover, these apps deliberately avoid an icon and cleverly incorporate a UTF-8 character within the app’s label, intensifying their hiding and rendering them more challenging to identify.

This circumstance carries a dual nature, as it represents that if a user ignores to initiate the app post-installation, the probability of it being launched later declines.

After being launched, the app will promptly generate an error message, delivering the user with the following notification:-

“Application is not accessible in your region. Tap OK to uninstall.”

Despite appearances, the app does not uninstall itself; instead, it enters an inactive phase for two hours, during which it registers two ‘intents’ that trigger its launch upon device boot or unlocking.

Upon deployment, the application will establish a link to the servers that are under the control of the attacker. From these servers, it will start retrieving the advertisement URLs, which will be showcased within the:-

  • Mobile browser
  • Full-screen WebView ad

While the primary function of the malicious apps currently lies in exhibiting advertisements, the researchers caution that the threat actors can easily replace the adware URLs with websites of a more threatening nature.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security

Malicious Domains Detected

Here below, we have mentioned all the malicious domains that are detected:-

  • Konkfan[.]com
  • beahor[.]com
  • gogomeza[.]com
  • ehojam[.]com
  • adc-ad-assets.adtilt[.]com
  • adc3-launch.adcolony[.]com
  • auction-load.unityads.unity3d[.]com
  • config.unityads.unity3d[.]com
  • httpkafka.unityads.unity3d[.]com
  • pagead2.googlesyndication[.]com
  • publisher-config.unityads.unity3d[.]com
  • Wd.adcolony[.]com


Here below we have mentioned the IOCs:-

  • 53f3fbd3a816f556330d7a17bf27cd0d com.contec.aflwallpapers4k
  • a8b18a67256618cf9dcd433a04448a5b com.deadsimpleapps.all
  • 53406cc4b3ced24152860a7984d96dbf com.devindie.appfacil
  • c1d312818d07cddb76d2bece7ad43908
  • 4df8c05d0e323c5aeeb18c61e3c782c6
  • d6e33f7b6ff314e2b61f54434a77e8f0 stickers.russia2018
  • 8ec0432424da16eb8053453f0ce0731a net.playtouch.connectanimalsok
  • db9f921ccecdef6cd8fb7f5cb0a779d2 com.advfn. Android.ihubmobile
  • 1313fa114436229856797384230a0a73 com.deadsimpleapps.all
  • 3050f562374b275f843f6eb892d2f298 edu.cpcc.go
  • 400568ea7406f4d3704fb4c02682313a com.ik.class3pdf
  • 7a1efcc701f10d2eef08a4f4bcf16fc2 ir.amin.rostami
  • 84aed79a10dd21e0996e08ba0c206965
  • 4376ecd8add3622c2793239f658aa5e6 com.fhuchudev.apyarcardownload
  • 8fcc39166b1a8c29fba3f87307967718
  • b7fb1fa1738c5048cecbe73086823843 com.kacyano.megasena
  • fd37ff8ded80e9fe07004e201422a129 com.ikeyboard.theme.tiedye.neon.weed
  • ef83a9b6ffe20b3abdba08a6517b08f0 studio.harpreet.autorefreshanywebsite
  • 319421d550ff761aa4ac2639b3985377 com.mdpabhel.autowebpagereloader2022
  • 7e3fa8b054346c013a8148d76be81a48 uz.pdp.ussds11
  • 60bae94bfa0c79c19fcc19bc5a9fb8e6

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…

1 day ago

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…

1 day ago

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…

1 day ago

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…

1 day ago

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…

1 day ago

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…

2 days ago