Android adware has plagued the Google Play Store in the past two months
Most of the security reports you’ll read about malware making it on the Play Store are about adware –which is nothing more than malicious apps that have no real functionality and purpose besides showing intrusive ads and generating a profit for their developers.
In the last two months, there has been a surge of reports about adware making it through the Play Store defenses, and being installed on users devices.
ESET researcher blowing the lid on several adware campaigns
ESET security researcher Lukas Stefanko has identified two campaigns in October[1, 2], and then another two in November [1, 2], this year, with two of these infecting at least half of million users, each.
The researcher found adware in apps that were mimicking popular games, kids apps, or instant messaging clients, just to highlight a few.
However, Stefanko isn’t the only one sounding the alarm on adware-infected Android apps.
The explosive BuzzFeed report
Yesterday, in a BuzzFeed News exposé, mobile security researchers from Kochava revealed the existence of similar adware-like functions in eight extremely popular apps that have been downloaded over two billion times from the Play Store.
The apps are Clean Master, CM File Manager, CM Launcher 3D, Security Master, Battery Doctor, CM Locker, and Cheetah Keyboard. All were created by Cheetah Mobile, a Chinese app development company, and one of the biggest app developers on the Play Store.
Google is still investigating the Kochava findings, and only CM Locker has been removed from the Play Store, at the time of writing. The general consensus is that Cheetah Mobile will get away with blaming the advertising SDKs embedded in its apps for the adware-like behavior, and get to keep its apps on the Play Store.
Trend Micro joins the fold
But in addition to the reports mentioned above, Trend Micro has, too, discovered a new Android adware strain, which it named FraudBot.
In a report published today, the cyber-security firm says it found seven Android apps available through the Play Store that were harboring FraudBot instances.
All seven apps were posing as legitimate voice messaging platforms, but, in reality, contained code that would open a mobile browser to load online survey pages, or loaded pages with ads, and later triggered programmatic touch events to mimic users taping on the ads.
Trend Micro researchers said all of the seven apps were uploaded “one by one since October” on the Play Store via different developer accounts, but similarities in the adware’s source code suggests they’ve been coded by the same person or group.
The good news is that unlike the cases reported by Stefanko and Kochava, Trend Micro spotted this adware operation before it took off, and only a small number of users had downloaded and installed the adware-infested apps.
Trend Micro said that Google removed all seven apps from the Play Store after receiving a report from its researchers, but they expect the FraudBot crew to upload new apps in the coming days or weeks.