[ad_1]
The researchers discovered 85 Google Play apps with more than 8 million downloads, forcing users to display ads in full screen.
The applications, which came in the form of photography and games programs, contained a family of adware that was extremely disruptive to end users. Once installed, apps would display full screen ads, forcing users to view the full duration of an ad before they could close the window or return to the app. Apps ran an ad every five minutes, but platform users could change the frequency remotely.
AndroidOS_Hidenad.HRXH, as the adware is called, uses several tricks to evade detection and removal. Half an hour after its installation, for example, an application would hide its icon and create a shortcut on the device's home screen. (According to an article in Trend Micro, the security company that found the applications.) Hiding the icon prevented the uninstall of applications by dragging the uninstall section of the icon from the # 39, device screen. Android 8 and later versions require user confirmation before an application can create a shortcut. However, even if users of these versions were not in agreement, the icon would still be hidden.
An application also saves two timestamps, "the current time (the system time of the device) under the name" installTime "and the network time, whose timestamp is retrieved by abusing a publicly available and legitimate RESTful application programming interface (API) and then stored as networkInstallTime. & # 39; "
Later, the application would register an Android component, called "Broadcast Receiver", allowing the application to send or receive system events or application. The goal: to help monitor if a user was present after the wakeup of the infected device.
Ecular Xu, researcher at Trend Micro, wrote:
Whenever the user unlocks the device, the advertising software will perform several checks before executing its routines. It first compares the current time (the system time of the device) with the timestamp stored under the name installTime; it then compares the current network time (queried via a RESTful API) with the timestamp stored as networkInstallTime. With these applications, the application built into the advertising software can determine if it has been installed on the device long enough, with the default timeout configured for 30 minutes. To some extent, the use of network time can escape the time-based detection techniques and triggers employed by traditional sandboxes because time-based settings of the application can be configured simply using networkInstallTime.
If an application determines that it has been installed for more than 30 minutes, it will hide the icon and create the shortcut.
Xu continued:
The application also saves another receiving receiver for android.intent.action.USER_PRESENT dynamically to check if the user has unlocked the device. Once the conditions are met, the ads will be displayed on the screen. Similar to the way it hides the icon, it also checks the time before displaying advertisements. It also uses installTime and networkInstallTime to determine how long it has been installed on the device. Apart from that, he also checks the latest ad to make sure that it does not show up too often.
The list of applications included a Super Selfie camera, a Cos camera, an anti-pop camera and an online puzzle. Each of these titles has been downloaded 1 million times, which is about half of the total downloads. Other applications (including background erasure, meeting camera, pixel blur, high-definition music playback, and one stroke line) were downloaded approximately 500,000 times. The remaining applications are published here.
Trend Micro has reported apps to Google privately. Google then deleted the apps from Play.
[ad_2]
Source link