Security firm, Avast, recently discovered 50 different applications that contain adware. These apps, which include Magic Cut Out, Mov-tracker, Photo Blur Studio, Pro Photo Eraser, and Pro Piczoo, have been downloaded around 30 million times before Google removed them from the Play Store.
Those apps use two different versions of the adware called TsSdk. The older version of the adware, which Avast calls the “version A”, has been downloaded around 3.6 million times, and most of the victims of this adware are from Bangladesh, India, Indonesia, Nepal, Pakistan and the Philippines. Most of the applications that contain this adware include simple games, fitness, and photo-editing apps.
Meanwhile, the newer version of the TsSdk adware, which the security firm refers to as “version B”, is used in applications that users downloaded more than 28 million times. Users who have been affected by this version of the adware are located mostly in Brazil, Great Britain, India, Indonesia, Malaysia, Nepal, and the Philippines.
The newer version of the TsSdk adware is comparably more advanced than the version A of the code. According to Avast, the older implementation of the adware is much faster to detect since it is not encrypted, making it easier to spot by security analysts. In contrast, version B of the malware is protected by encryption, forcing security researchers to use specialized analysis tools to detect the adware.
Another difference between the two adware versions is the triggers needed to show advertisements. Both malicious software iterations tend to show full-screen ads, and in the case of the older adware, adds new shortcuts to applications and a game center.
The newer version of the TsSdk adware takes advantage of a feature from Facebook’s software kits for developers called “deferred deep linking”. By using this feature, the adware will only show advertisements when people click or tap on a specific ad on Facebook.
This adware pushes ads every 15 minutes for the first four hours after the installation of the application, although the frequency of full-screen ads goes down after the first four hours. Interestingly, restrictions in running background processes in Android 8.0 Oreo and newer prevent this version of the adware from showing ads.
Another interesting finding by security researchers from Avast, is that the game center icon that the adware places on the home screen leads to a website previously linked with the Cosiloon adware that Avast also discovered last year.
Even though Google already removed the applications from the Play Store, the continued appearance and discovery of adware on Google’s application platform highlights the fact that the search giant’s efforts to weed out malicious software are still inadequate. Recently, several security firms, along with online publication Buzzfeed News, discovered several popular applications involved in ad fraud and abuse of user permissions. These applications negatively impact the performance and battery life of the device, and it may also result in additional costs for consumers still enrolled in carrier plans with monthly data allocations.
Moving forward, Avast advises users to remain vigilant when downloading applications, check the reviews left by other users before installing an app, and carefully check the permissions that an app requests.