In September, 25 Android malware applications had been reported to Google as a preferred vehicle for the spread of malware. In these hours TrendMicro releases a report in which it points the finger at no less than 49 new applications of the Google Play Store, containing hidden malware inside apps created ad hoc to hide their real purpose.
According to the survey carried out by the company, it is estimated that as many as 3 million Android devices are affected by these applications which, we recall, are present on the Google Play Store as applications for taking pictures or as games. The malware uses a series of algorithms designed to confuse the user even with regard to web browsing.
In fact, it seems to be able to camouflage itself from Google Chrome by installing a shortcut to the app directly on the home screen of Android devices. The user, believing to start the Google browser, instead uses the modified and unofficial version. The Android malware code was developed to wait several hours before starting to show advertising on the phone, a trick used to prevent the user from directly connecting the AD’s presence to the newly installed application.
TrendMicro informs that it has immediately provided the entire list of applications in Google that immediately ran for cover by removing them from the Play Store. The multinational specialized in computer security has been following the spread of malware through the Google store for some time, and in fact already in August it had discovered 85 applications of photography and games designed to show advertising.
The malware in question shows full-screen advertising, as well as being clever enough to hide even its own icon, which reminds us of malware that cannot be uninstalled even when formatting the smartphone. The victim cannot close the advertisement through the classic commands, but can only use the back button to stop the execution for a short time.
Those who developed the malware used different techniques to evade the classic functions designed to block the execution of these applications. The code is encrypted with customized algorithms in order to make it more difficult to identify. The malware is constantly kept running through the StartForgroundService function (deprecated in Android 8 Oreo) so that it can always be kept in memory even when the user does not execute it.
As you can see from the image above, the malware presents as a common Google Chrome icon that, once plugged in, activates a full screen advertisement. This function is also used to confuse the user so as not to be able to identify the guilty application and eliminate it.
How to stay safe
But what countermeasures can a user use against this kind of malware? As we said, this Android malware exploits a deprecated function from Android 8 Oreo, so just keep your smartphones up to date with the latest Android versions available.
Check the reviews by other users before installing an application. One of the incriminated applications was full of reviews with a star, where the users themselves indicated some problems we described in the news. If the application you want to install is characterized by numerous negative reviews, then it is very likely that something is wrong.