For several months, thousands of legitimate-looking applications have been circulating on Android by spreading adware, these small pieces of software that propel unwanted advertisements on our devices.
The numbers can make you dizzy. Over the past 6 months, some 60,000 unique malicious apps have slipped under cyber detection radars around the world, until a Bitdefender tool finally uncovered the pot of roses. The applications spread adware, adware that can then redirect users to other, even more dangerous types of tools.
Third-party sites referenced on Google to trick users into downloading malicious apps
The adware in question has been active since October 2022. It is distributed in the form of bogus applications that can either be copies or equivalents of VPNs, security software, Netflix, YouTube or TikTok without advertisements, or the like. The idea is to make the user believe that downloading these applications can allow him to benefit from extended functionalities.
To distribute these malicious applications, hackers rely on websites that will promote them. You will therefore have understood that the apps are not hosted on the Google Play Store this time, but on third-party sites. These trick you into using APKs and Android installer packages that make it easier to install these rogue apps.
These famous websites can then redirect Internet users in two ways: either they are encouraged to visit other websites that generate advertising and revenue, or they are encouraged to download the application initially sought on Google. Because yes, these sites are present on the search engine!
An adware capable of redirecting you to a banking Trojan
Once the malicious application in the form of APK is downloaded, what happens? The APK is infected with malware, but for a question of privileges (permissions), the activation remains manual. It is when you open the application after its installation that you activate the famous malware.
The tool is rather treacherous, because it is difficult to spot. It does not use an icon and has a UTF-8 character for the title. If the user launches the application, the following error message is displayed: ” The app is not available in your region. Press OK to uninstall. Obviously, pressing “OK” will not initiate any uninstallation procedure. The app simply sleeps for two hours before registering again. When launched, it connects to the hackers’ server to retrieve advertisements to display on the smartphone in full screen, or directly in the browser.
According to Bitdefender, the malware is currently only used to display advertising. However, hackers have the ability to swap adware URLs with more malicious websites, to redirect users to banking Trojans that would result in theft of personal and banking information, and the launch of potential ransomware.
Source : Bitdefender Blog
14