In context: Embedding ad code into an app is a long-established way for developers to offset their costs for offering free or cheap apps. However, some less scrupulous app makers create what is essentially adware and deceptively pawn it off as something useful.
Threat researchers at Australia-based SophosLabs recently uncovered 15 apps that don’t seem to do anything other than aggressively display ads on Android devices. The programs have names and product descriptions ranging from QR readers to image editing apps.
What makes these applications even more insidious is that they hide their icons to make them more difficult to remove from the phone. Some of them even camouflage themselves in the settings with different names and icons.
Sophos gives an example of an app called Flash On Calls & Messages (free.calls.messages). When launched, it displays a message saying, “This app is incompatible with your device!” Then it opens the app store to the page for Google Maps to trick the user into thinking that the Maps app is the problem.
After that, it hides its icon so that it cannot be seen in the launcher. Other apps on the list do this as well, although some don’t do it on the initial launch. Some will wait until they have been installed for a bit before hiding the icon.
What’s worse is the apps further try to avoid removal by using a different name and icon in Android’s settings. Nine out of the 15 employed this tactic to avoid detection. The camouflaged apps will mimic harmless programs or even essential functions using names like Update, Back Up, Time Zone Service, or even Google Play Store.
Principal researcher Andrew Brandt outlined how to find and remove the annoying malware.
“If you suspect that an app you recently installed is hiding its icon in the app tray, tap Settings (the gear menu) and then Apps & Notifications. The most recently opened apps appear in a list at the top of this page. If any of those apps use the generic Android icon (which looks like a little greenish-blue Android silhouette) and have generic-sounding names (‘Back Up,’ ‘Update,’ ‘Time Zone Service’) tap the generic icon and then tap ‘Force Stop’ followed by ‘Uninstall.’ A real system app will have a button named ‘Disable’ instead of ‘Uninstall’ and you don’t need to bother disabling it.”
The 15 malicious apps discovered have been removed from Google Play. However, Play market stats revealed that together, they have already been downloaded and installed on over 1.3 million devices around the world. you can check out SophosLabs write-up for a full list.
Sophos is quick to note that it is highly likely that there are more apps like these out there still.
“While these apps have been removed from the Google Play Store, there may be others we haven’t yet discovered that do the same thing,” said Brandt.