Here we are again, warning customers about new that are supposed to be useful, however they are tainted with malware. How did this happen? You might not think that QR Readers and Compass Apps are laced with right? Unfortunately, you are mistaken.
The malware got sneaked in this way to the Google Play store. They were able to bypass security checks by its clever coding and delayed payload and activity.
Once downloaded and installed on the device, the malware waits for six hours before its true intentions are manifested. In which case it serves up adware, full screen adverts keep on flooding the device, opening advertisements on webpages, and furthermore, it sends various notifications containing ad-related links.
What purpose does it serve? Brilliantly coded with the intent of generating revenue from click-based campaigns that the attackers cash in eventually because it runs in the background even after the app itself is not actively running.
This malware has been dubbed as Andr/HiddnAd-AJ by SophosLabs. Typically the malware developers generally target the general purpose apps because a lot of people use it thus getting more people to download, install and spread. It has been downloaded at least 500,000 times before it was removed from Google Play.
Most apps, once downloaded and installed, its initial reponse is to get configuration information on a server controlled by those behind the attack. But in this case it waits in order for it not to be detected. No nefarious background code until its estimated grace period before the configuration is downloaded and pushed into the device and thus doing its intended payload.
In addition to the malicious activity initially being hidden, the malware is helped by the code for the adware being embedded in what looks like a standard Android programming library within the files of the app.
Sophos discovered the malware and has informed Google which prompted them to pull it off from the Play Store. Despite Google’s failure to detect the malware laced apps, it is still a safe practice to get software from Google Play store compared to downloading from third-party Android apps download stores. This is helpful since other users might notice things that you and I might have missed and Google will be alerted by the users themselves.
Reporting a dodgy or possibly infected app helps a lot of users. Google would investigate the matter and if deemed unfit for distribution, it will be taken off and would stop it from spreading to other devices.