182 Android apps have been linked to an adware campaign that has plagued users who download apps from Google Play. Trend Micro detected the adware campaign identified as AndroidOS_HiddenAd.HRXAA and AndroidOS_HiddenAd.GCLA. The adware was hidden inside free-to-download game and camera apps, the majority of which were found on the Google Play Store and had millions of downloads collectively.
The adware behind the campaign was disguised as game and camera apps and was discovered in mid-June. Trend Micro says that it generated heuristic patterns that were used to analyze other samples it had detected and were able to deduce that the adware campaign had been active since 2018. All of the apps that were detected were part of the same adware campaign despite being submitted by different developers.
Of the 182-adware-loaded apps, 111 were found on the Google Play Store. The remainder of the apps were found at third-party stores like 9Apps and PP Assistant. Trend Micro says that 43 of the 111 apps hosted on Google Play were unique or had distinct features with the rest being iterations or duplicate apps. Trend Micro notes that all of the malicious apps had been removed from Google Play during its analysis except for eight apps, which were later removed.
As of July 1, 2019, when Trend Micro published its report on the malicious apps, they had been cumulatively downloaded 9,349,999 times. The adware inside the apps displayed full-screen ads whenever a user unlocked their device. The most frequent pop-up ads seen in the campaign was a new ad every 5-minutes.
The ads couldn't be immediately exited, and when the user clicked the back arrow, the adware opened a call-to-action message instead of exiting the ad. The apps also hid from users to prevent their deletion, and some of the ads waited 24 hours before a scheduled task was evoked to make the apps seem legitimate and evade regular sandbox detection.
Google has a history of fighting malware that is often only detected after millions of users are impacted. In February 2019, 29 malicious apps were discovered that had been downloaded by millions. A study last month found that the Google Play Store hosts thousands of malware-laden Android apps.