Researchers at ESET spent a year tracking and adware operator who has almost 42 apps in Google Play Store with over eight million downloads tricking users bloating the app with adware and earning revenue on top of it.
ESET, a cybersecurity research company, found a batch of apps on Google PlayStore that use malicious codes to showcase ads on user’s devices to earn revenue. These apps include various categories such as ringtone makers to recorders to downloaders and whatnot and were reportedly downloaded eight million times since these apps were launched cumulatively. Although these apps have since vanished with only 21 apps available at the time of writing this, these apps use malicious codes to show ads and use various techniques to hide the code from Google upon scrutiny.
Apparently, these apps detect when Google is about to run a security scan through Play Store using its security mechanism and life or untrigger the malicious code payload and only released it when they were clear of any security scans. Furthermore, the operator hides the ad-related code under the file name ‘com.google’ and thirdly, these apps practiced delay in displaying ads as well.
To elaborate it, adware usually showcases ads when in use while some might push ads just a bit if the app is recently installed. These would garner revenue as the app is displayed. These 42 apps practiced delay in ads which means that once the app is downloaded, it will showcase its first ad after a ‘set duration’ which turns out to be 24 minutes with respect to these apps. The more time it takes for adware to start pushing ads, the less suspecting the user is trying to link and pinpoint if which particular app is causing the ad to go live.
Some of the apps include ‘Smart Gallery’, ‘SaveInsta’, ‘ DU Recorder’, ‘Ringtone Maker Pro’, ‘Free Top Video Downloader’, ‘HikeTop+, etc which are available on the Google Play Store yet which those apps that were not spotted here where seen on third-party app stores. Researchers pinpointed the operator as well using a number of details provided at his domain registrar while techniques were used to put the known details at work to pinpoint him.