Three adware-serving Android apps on Google Play reach millions

At least three apps on Google Play have slipped through Google’s checks and are pestering millions of Android users with adware.

Among Google’s developer terms regarding its system interface is that ads “must not simulate or impersonate the user interface of any app, or notification and warning elements of an operating system.”

While Google does vet apps for this behaviour before allowing them on Google Play, several apps available on the app store are doing just this.

Google Play users reported three apps that contain adware in January on a security-related forum. As one video of the adware demonstrates, upon unlocking a Nexus 5 with the adware-loaded app installed, an “urgent” system notification advises them to click OK to “fix your internet”. It suggests the Opera Mini browser to resolve the bogus issue, but then redirects them to a different app on Google Play that purports to fix other issues.    

The apps are currently more of an annoyance to users than a serious security threat, but until Google removes them, they could be adapted to lead Google Play users to more malicious apps.

Malware analysts from security firm Avast have poked around the three apps on Google Play that display this behaviour, which includes Durak, an English-language card game app with as many as 10 million installations by Google Play counts.

The others, with lower counts, are a Russian language IQ test app and a Russian history app.

All three are still currently available on Google Play and they’re also directing users to potentially malicious apps outside of Google’s app store.

The apps fly under the radar by behaving in a way that complies with Google’s terms for around 30 days before showing its true adware colours, Avast’s mobile malware analyst Filip Chitry noted.

It may also explain why Google didn’t detect the apps before allowing them on its app store.

A spokesperson for Avast told CSO Australia that the company had reported the suspect apps to Google.

They also said the apps are pushing ads randomly to the user from three legitimate mobile advertising companies, including Twitter-owned MoPub.

“It constantly checks for new ads on the servers of those companies, in order to show them to the user,” Avast’s spokesperson said.

MoPub’s own policies prohibit “any creative that a user might mistake for an OS- or application-level notification rather than an advertisement”.

CSO Australia has asked Twitter for an update on the issue and will adjust the story accordingly if and when it receives a response.

Google updated its app sore developer program policies in 2013 to prevent in-app ads from abusing system notifications, along with other changes to clean up its marketplace.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)