An evasive family of adware posed as 85 photography and gaming apps available for download on the Google Play store.

Trend Micro observed that the adware, detected as AndroidOS_Hidenad.HRXH, had infiltrated 85 apps available for download on Google Play. Those programs boasted a combined total of 8 million downloads at the time of detection. The security firm disclosed its findings to Google, at which time the tech giant’s researchers removed the apps from Google Play.

Once launched, the malicious apps recorded the current time and network time from an infected device. They then registered a Broadcast Receiver to help monitor if a user was present after someone had woken up the device. The apps arrived with techniques through which they could evade time-based detection techniques or other capabilities employed by traditional sandboxes. Beyond those tactics, the apps hid their icons, created a shortcut on the home screen and used Java reflection to further avoid analysis.

Hidden Adware on the Play Store

Threat actors have a history of concealing adware on the Google Play store. In November 2018, Trend Micro came across several apps on the Play store disguised as voice messenger platforms that sought to generate fraudulent ad clicks and automatically display fake surveys.

Several months later, Check Point uncovered 206 applications infected with SimBad adware, which had collectively registered close to 150 million downloads on the Play store. And in June 2019, Lookout discovered 238 applications available for download on the Google Play store that each harbored BeiTaPlugin, adware that rendered an infected device nearly unusable.

How to Defend Against Mobile Threats

Security professionals can help defend their organizations against mobile threats by using artificial intelligence-powered solutions that use context and other information to determine whether certain device behaviors are legitimate. Companies should also leverage a unified endpoint management (UEM) solution to monitor how devices interact with the environment and flag anything that might appear suspicious.

More from

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan.In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would tailor…

Inside the Second White House Ransomware Summit

Ransomware is a growing, international threat. It's also an insidious one. The state of the art in ransomware is simple but effective. Well-organized criminal gangs hiding in safe-haven countries breach an organization, find, steal and encrypt important files. Then they present victims with the double incentive that, should they refuse to pay, their encrypted files will be both deleted and made public. In addition to hundreds of major attacks around the world, two critical ransomware incidents — the Colonial Pipeline attack and…

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers. According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately…

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…