Bitdefender Anomaly Detection Finds 60k Apps Secretly Installing Adware

Using an anomaly detection feature that was added to its Mobile Security software, Bitdefender detected over 60,000 malicious Android apps disguised as legitimate applications that have been installing adware for the last 6 months.
The global campaign that predominantly targets US users is believed to have started in October 2022 and is being distributed as fake security software, game cracks, cheats, VPN software, Netflix, and utility apps on third-party sites, where malware inspection isn’t as strong.
When the app is installed and launched, it will display an error message stating that the “Application is unavailable in your region. Tap OK to uninstall,” but actually, the app is not uninstalled and instead sleeps for two hours before registering two ‘intents’ that cause the app to launch when the device is booted or unlocked. Bitdefender says the latter intent is disabled for the first 2 days, which helps evade detection.
The app then reaches out to the attackers’ servers and retrieves advertisement URLs to be displayed in the mobile browser or as a full-screen WebView ad.
“However, the threat actors involved can easily switch tactics to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information or ransomware,” warns Bitdefender.

Ted Miracco, CEO, Approov Mobile Security had this to same:

   “The discovery of these malicious Android apps raises concerns about how easy it is to distribute malware and the fact that this campaign predominantly targets users in the United States is concerning, as it suggests that a large number of individuals may be at risk. This highlights the need for robust security measures, like app attestation to protect users from such threats. It also serves as a reminder for users to exercise caution when downloading and installing applications, particularly from unofficial sources.”

Dave Ratner, CEO, HYAS follows up with this:

   “The identification of beaconing behavior to adversary infrastructure via Protective DNS is not only for laptops and servers; the explosion of mobile-based malware highlights just how important it is to extend Protective DNS across all connected devices. Bad actors will continue to find innovative ways to trick users but having the visibility to see the anomalous communication reaching out to the adversary’s servers, and the ability to block it, provides a key layer of defense that is critical in today’s world.”

The fact that these Android apps are out there should send a chill down the spine of every Android user. Thus it means to me that Google as well as users of Android phones really need to have their heads on a swivel to make sure that this doesn’t become an extremely popular attack vector.

Leave a Reply

%d bloggers like this: