Sixty app were removed from the Google Play marketplace in December that were infected with malware dubbed AdultSwine that in some cases generated pornographic ads on apps aimed at children. The developers behind the malicious apps also scammed victims with scareware techniques and attempted to register victims for premium services without their consent.
All apps were downloaded between 3 to 7 million times before security researchers at Check Point spotted the apps on Dec. 17 and notified Google, who promptly removed them. Some of the apps were uploaded to Google Play as early as July 2017, according to researchers.
“We’ve removed the apps from Play, disabled the developers’ accounts, and will continue to show strong warnings to anyone that has installed them. We appreciate Check Point’s work to help keep users safe,” Google said in a statement to Threatpost.
Malicious apps ranged in theme, but many intentionally appealed to children with titles such as “Paw Puppy Run Subway Surf”, “Girls Exploration Lite” and “McQueen Car Racing Game”.
Check Point said AdultSwine-infected apps leveraged three techniques such as displaying ads, receiving profits for premium services and claiming referral fees for downloaded apps. Once a malicious app was downloaded by a user on their phone, AdultSwine malware registers with the rogue developers command-and-control server to receive instructions for further operations, researchers said.
“The most shocking element of this malware is its ability to cause pornographic ads (from the attacker’s library) to pop up without warning on the screen over the legitimate game app being displayed,” Check Point said.
Google points out that the rogue AdultSwine apps removed from its Google Play store were not part of its Designed for Families program that places strict guidelines on apps and the types of ads place on them. It added, ads displayed by AdultSwine were generated by the developers of the rogue apps and were not associated with Google’s advertising platform.
Scammers also used scareware techniques to trick victims into installing unnecessary and likely harmful “security” apps, researchers said.
“First, the malware displays a misleading ad claiming a virus has infected the user’s device. Upon selecting the ‘Remove Virus Now’ call to action, the user is directed to another app in the Google Play Store posing as a virus removal solution. The ‘virus removal solution’ is anything but – it’s another (piece of) malware,” Check Point said.
Attackers also tempted users with bogus “win free iPhone” offers in attempt to collect personal information, including the target’s mobile phone number. Once obtained, the number is then used to sign up for premium services by the attackers without the victim’s consent.
Check Point said that the AdultSwine code also has the ability to move “laterally within the infrastructure of the phone, opening the door for other attacks such as user credential theft.” Researchers did not offer a technical specifics of this type of behavior.
Over the past year Google has had to remove rogue apps from its Google Play marketplace on numerous occasions. Just last week, Google booted two dozen Android flashlight and related utility apps from the Google Play marketplace after researchers at Check Point found a malicious advertising component dubbed “LightsOut” inside them.
In December, Google announced plans to crack down on unwanted and harmful Android apps as part of an expansion of its Google Safe Browsing mission. Starting at the end of January, Google said, it will begin delivering warnings to users of apps and websites deemed in violation of its policies. Also announced last year was Google Play Protect, which among other things includes the ability to manually scan previously downloaded apps in order to check if they are still safe.
In May, Google claimed there were more than two billion active Android devices in use and that Play Protect scanned and verified up to 50 billion apps per day.
Source: ThreatPost