Android malware seems to be popping out everywhere as a new Android malware strain was uncovered by security experts which have plagued the Google Play Store. Based on the reports, there have been over 500,000 downloads of the malware-laden apps which happens to be QR readers. According to a report from SophosLabs, there are over seven QR code readers infected in the Google Play Store. Aside from that, it seems that one smart compass app might also have been infected.
Referred to as “Andr/HiddnAd-AJ”, this new Android malware blasts infected devices with tons of ads but “only after lying low for a while to lull you into a false sense of security”, Paul Ducklin from SophosLabs wrote in a blog.
“Following installation, the malware waits for six hours before it begins work on its true purpose — serving up adware, flooding the user with full-screen adverts, opening adverts on web pages and sending various notifications containing ad related links,” Danny Palmer from ZDNet wrote.
The infected QR apps were downloaded more than 500,000 times which clearly indicates a critical vulnerability in the Android platform due to the fact that malware was able to get past the security measures in Google Play.
Cybercrooks behind this malware utilized social engineering in infecting these legitimate apps as well as create fake ones that contain the code for the malware. The following apps below are part of the partial list of the infected QR apps:
- QR Code/ Barcode
- Smart compass
- QR Code Free Scan
- QR & Barcode Scanner
Based on the analysis made by security experts, the infected apps begins its attack with the use of a stealth protection mechanism which is done by delaying the infected devices’ startup for a couple of hours to evade some common virus signature and behavior from being identified by security or system apps. And the moment the time limit ends, the actual malware execution begins.
It seems that the main purpose of the malware is to produce a series of annoying spam messages. This actually resembles the function of traditional browser hijackers where it modifies the installed software in the device so it can redirect users to its affiliated page. This could lead to various threats, including the sending of push notifications with the same message. This kind of technique is carried out so the malware can manipulate users into interacting with dangerous and malicious content.
Moreover, the analysis also revealed that whenever the malware-laden apps are launched, a network connection with the servers controlled by the attackers will be initiated and an elaborate configuration file will be generated for each infected Android device which will be sent to the relevant local instance. The data in the configuration file consist of the following values:
- The Google Ad Unit ID for the specific machine.
- A list of predefined links that form the pushed advertisement.
- The list of icons, messages, and hyperlinks for the displayed ad campaigns.
- The predefined delay before the next network connection is established.
Once the configuration file is sent, the predefined delay of the malware before it executes the next phase of its attack is established. After that, the Android malware will be flooding the infected device with various advertisements, web pages, and push notification messages.
The existence of these kinds of threats is quite alarming since it can also be used for other kinds of attacks in the infected devices that could range from actions like delivery of additional malicious payloads to modify the infected system. Updated and advanced version of this malware can even include a Trojan module that could be utilized to spy on the victims in real time as well as take over the control of the device.
At the time of writing, security experts already notified Google regarding the infected QR apps and one smart compass app which are already removed from the Google Play Store. These kinds of cases happen more often these days despite Google’s efforts in improving the security measures in the Google Play Store. This is why security experts advise Android users to be cautious in downloading apps no matter where the source came from as no source is safe from Android malware, even the Play Store.