Archive for the ‘google play’ Category

238 Google Play apps with >440 million installs made phones nearly unusable

June 4th, 2019
238 Google Play apps with >440 million installs made phones nearly unusable

Enlarge (credit: NurPhoto | Getty Images)

If the prevalence of abusive Google Play apps has left you numb, this latest report is for you. Carefully concealed adware installed in Google-approved apps with more than 440 million installations was so aggressive that it rendered mobile devices nearly unusable, researchers from mobile security provider Lookout said Tuesday.

BeiTaAd, as the adware is known, is a plugin that Lookout says it found hidden in emojis keyboard TouchPal and 237 other applications, all of which were published by Shanghai, China-based CooTek. Together, the 238 unique apps had a combined 440 million installs. Once installed, the apps initially behaved normally. Then, after a delay of anywhere between 24 hours and 14 days, the obfuscated BeiTaAd plugin would begin delivering what are known as out-of-app ads. These ads appeared on users' lock screens and triggered audio and video at seemingly random times or even when a phone was asleep.

"My wife is having the exact same issue," one person reported in November in this thread discussing BeiTaAd. "This will bring up random ads in the middle of phone calls, when her alarm clock goes off or anytime she uses any other function on her phone. We are unable to find any other information on this. It is extremely annoying and almost [makes] her phone unusable."

Read 7 remaining paragraphs | Comments

Posted in adware, Android, Biz & IT, encryption, google play, obfuscation | Comments (0)

Google Play apps with 150 million installs contain aggressive adware

March 13th, 2019
Google Play apps with 150 million installs contain aggressive adware

Enlarge (credit: NurPhoto | Getty Images)

Researchers have identified a massive adware campaign that invaded the official Google Play market with more than 200 highly aggressive apps that were collectively downloaded almost 150 million times.

The 210 apps discovered by researchers from security firm Checkpoint Software bombarded users with ads, even when an app wasn’t open, according to a blog post published by the company on Wednesday. The apps also had the ability to carry out spearphishing attacks by causing a browser to open an attacker-chosen URL and open the apps for Google Play and third-party market 9Apps with a specific keyword search or a specific application’s page. The apps reported to a command-and-control server to receive instructions on which commands to carry out.

Once installed, the apps installed code that allowed them to perform actions as soon as the device finished booting or while the user was using the device. The apps also could remove their icon from the device launcher to make it harder for users to uninstall the nuisance apps. The apps all used a software development kit called RXDrioder, which Checkpoint researchers believe concealed its abusive capabilities from app developers. The researchers dubbed the campaign SimBad, because many of the participating apps are simulator games.

Read 6 remaining paragraphs | Comments

Posted in adware, Android, apps, Biz & IT, google play | Comments (0)

Google Play caught hosting an app that steals users’ cryptocurrency

February 9th, 2019
Google Play caught hosting an app that steals users’ cryptocurrency

Enlarge (credit: Yu Chun Christopher Wong/S3studio/Getty Images)

Google Play has been caught hosting yet another malicious app, this time one that was designed to steal cryptocurrency from unwitting end users, researchers said Friday.

The malware, which masqueraded as a legitimate cryptocurrency app, worked by replacing wallet addresses copied into the Android clipboard with one belonging to attackers, a researcher with Eset said in a blog post. As a result, people who intended to use the app to transfer digital coins into a wallet of their choosing would instead deposit the funds into a wallet belonging to the attackers.

So-called clipper malware has targeted Windows users since at least 2017. Last year, a botnet known as Satori was updated to infect coin-mining computers with malware that similarly changed wallet addresses. Last August came word of Android-based clipper malware that was distributed in third-party marketplaces.

Read 5 remaining paragraphs | Comments

Posted in Biz & IT, cryptocurrency, google play, malware | Comments (0)

Google Play apps with >4.3 million downloads stole pics and pushed porn ads

February 1st, 2019
Screenshots of the pop-up ads displayed by malicious apps that were available in Google's Play Store.

Enlarge / Screenshots of the pop-up ads displayed by malicious apps that were available in Google's Play Store. (credit: Trend Micro)

Google has banned dozens of Android apps downloaded millions of times from the official Play Store after researchers discovered they were being used to display phishing and scam ads or perform other malicious acts.

A blog post published by security firm Trend Micro listed 29 camera- or photo-related apps, with the top 11 of them fetching 100,000 to 1 million downloads each. One crop of apps caused browsers to display full-screen ads when users unlocked their devices. Clicking the pop-up ads in some cases caused a paid online pornography player to be downloaded, although it was incapable of playing content. The apps were carefully designed to conceal their malicious capabilities.

“None of these apps give any indication that they are the ones behind the ads, thus users might find it difficult to determine where they’re coming from,” Trend Micro Mobile Threats Analyst Lorin Wu wrote. “Some of these apps redirect to phishing websites that ask the user for personal information, such as addresses and phone numbers.”

Read 6 remaining paragraphs | Comments

Posted in Android, apps, Biz & IT, google play, porn | Comments (0)

Google Play malware used phones’ motion sensors to conceal itself

January 18th, 2019
Google Play malware used phones’ motion sensors to conceal itself

Enlarge (credit: Andri Koolme / Flickr)

Malicious apps hosted in the Google Play market are trying a clever trick to avoid detection—they monitor the motion-sensor input of an infected device before installing a powerful banking trojan to make sure it doesn’t load on emulators researchers use to detect attacks.

The thinking behind the monitoring is that sensors in real end-user devices will record motion as people use them. By contrast, emulators used by security researchers—and possibly Google employees screening apps submitted to Play—are less likely to use sensors. Two Google Play apps recently caught dropping the Anubis banking malware on infected devices would activate the payload only when motion was detected first. Otherwise, the trojan would remain dormant.

Security firm Trend Micro found the motion-activated dropper in two apps—BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious.

Read 5 remaining paragraphs | Comments

Posted in Android, anubis, Biz & IT, google play, malware, motion sensor | Comments (0)

Google Play ejects 22 backdoored apps with 2 million+ downloads

December 6th, 2018
Google Play ejects 22 backdoored apps with 2 million+ downloads

(credit: Jeremy Brooks / Flickr)

Almost two dozen apps with more than 2 million downloads have been removed from the Google Play market after researchers found they contained a device-draining backdoor that allowed them to surreptitiously download files from an attacker-controlled server.

The 22 rogue titles included Sparkle Flashlight, a flashlight app that had been downloaded more than 1 million times since it entered Google Play sometime in 2016 or 2017, antivirus provider Sophos said in a blog post published Thursday. Beginning around March of this year, Sparkle Flashlight and two other apps were updated to add the secret downloader. The remaining 19 apps became available after June and contained the downloader from the start.

“Serious harm”

By the time Google removed the apps in late November, they were being used to click endlessly on fraudulent ads. "Andr/Clickr-ad," as Sophos has dubbed the family of apps, automatically started and ran even after a user force-closed them, functions that caused the apps to consume huge amounts of bandwidth and drain batteries. In Thursday's post, Sophos researcher Chen Yu wrote:

Read 9 remaining paragraphs | Comments

Posted in ad fraud, Android, apps, Biz & IT, google play, Malicious | Comments (0)