Researchers found 85 Google Play apps with over 8 million downloads forced users to view the fullscreen ad. gaming programs, contain an adware family that greatly disrupts end users. Once installed, apps display ads across the screen – a setting that forces users to view the entire duration of an ad before closing the window or returning to the app. The apps show an ad every five minutes, but people running the platform have the ability to remotely change the frequency.
AndroidOS_Hidenad.HRXH, as it is called adware, uses many tricks to prevent detection and removal. A half hour after installing, for example, an app hides its icon and creates a shortcut on the device's home screen. (That's according to a write-up from Trend Micro, the security firm that found the apps.) Prevents hiding the icon from being uninstalled by dragging and dropping the screen icon uninstall section. of the device. Android 8 and later versions require user confirmation before an app can create a shortcut, but even if users disagree with these versions, the icon remains hidden.
An app will also record two timestamps, "the current time (device system time) as & # 39; installTime, & # 39; and network time, with the timestamp being obtained by abuse of a publicly available and legitimate RESTful application programming interface (API), then stored as networkInstallTime. & # 39; "
Later, the app will register a component of Android, known as a "Broadcast Receiver," which lets the app send or receive system or application events. The goal: to help monitor if a user is present after the infected device wakes up.
Trend Micro researcher Ecular Xu writes:
Each time the user opens the device, the adware will perform some checks before performing these actions. . It first compares the current time (device system time) with the timestamp stored as installTime; it compares the current network time (queried through a RESTful API) to the timestamp stored as networkInstallTime. Of these, the ad-embedded app can determine if it's been installed on the device long enough, with the default delay time configured to 30 minutes. To a certain extent, network time use can avoid time-based detection techniques or triggers used by traditional sandboxes, as the app's time settings may be compromised. -configure just by using networkInstallTime. minutes, it will start hiding the icon and creating a shortcut. device. When conditions are met, ads will be displayed on the screen. Similar to how it hides the icon, it also checks the time before ads are displayed. It also uses installTime and networkInstallTime to determine how long it has been installed on the device. In addition, it also reviews the last ad to make sure it doesn't show the same ad often.
The list of apps includes Super Selfie Camera, Cos Camera, Pop Camera, and A Stroke Line Puzzle. Each of these titles has been downloaded 1million times, which accounts for almost half of the total number of downloads. Other apps (which include Background Eraser, Meet Camera, Pixel Blur, Hi Music Play, and One Line Stroke) each have 500,000 downloads. The rest of the apps are published here.
Trend Micro has privately reported apps to Google. Google then removed the Play apps.