The findings were published in a research paper by Bot mitigation company White Ops and were reported by ZDNet. The authors of the research paper claim that the all apps on Google Play store were developed by the same group of developers.
Google has removed 38 apps from its Google Play store that infested Android smartphones with out-of-context advertisements. According to a research paper, these apps focused on beauty-related features (mostly for taking selfies); however, they served no legitimate purpose and were only intended for displaying malicious ads. It is also noted that the fraudulent apps redirected users to "out-of-context URLs" and in some cases, made it nearly "impossible" for users to delete them. The research paper claims that these apps had amassed more than 20 million downloads.
By September 2019, the developers had changed their tactics and published a batch of 15 apps that had a much slower removal rate. In November 2019, two new apps namely, Rose Photo Editor & Selfie Beauty Camera and Pinut Selife Beauty Camera & Photo Editor were updated with "most of the fraudulent code," to avoid detection, the paper indicated.
How did the malicious apps on Google Play function?
The research points out that the first batch of these apps (21 out of 38) appeared on Google Play in January 2019 and was focused on taking selfies or adding filters to users' photos. But those were quickly removed from the Google Play store after their malware-like behaviour was detected.
"But even with an average of less than three weeks of time on the Play Store, the apps found an audience: the average number of installs for the apps we analysed was 565,833," the research reads.
How did the apps avoid detection?
The White Ops paper notes that to avoid the malicious ad-bombarding code from being detected, most of these apps used "packers." These packers are hidden in the APK in the form of extra DEX files.
The bad actor(s) behind this threat tried several packers in the apps, which clearly tells us of their sophistication, resources available, and determination," the research paper reads.
"Historically, packing binaries is a common technique malware developers use to avoid being detected by security software like antivirus. Packed files in Android are not new and can't be assumed to be malicious, as some developers use packing to protect their intellectual property and try to avoid piracy," the paper added.
The second method of avoiding detection comprised using Arabic characters in various places of the apps' source code. This particular methodology of obfuscation essentially helps reducing readability for people not familiar with Arabic, therefore, avoiding further detection.
What's next
As mentioned, these apps displayed out-of-context ads and in some cases, they removed app icons that made it difficult for users to uninstall the app from their Android devices. Although Google has removed these 38 apps from the app store, it is likely that they still are installed on several devices.
