Google recently removed 85 different apps, mostly photography apps and games, that all contained the same adware and managed to get over 8 million collective installs before being shut down. The unique adware uses some sneaky tricks to avoid being found out and removed by users, all while occasionally displaying full-screen ads no matter what the user is doing.
TrendMicro named the adware AndroidOS_Hidenad.HRXH, and as of this writing, there are no longer any apps containing this adware in the Play Store.
The first thing the app does is function normally for 30 minutes. It has methods of checking if it’s been installed and in use that long, and uses network time calibration to avoid savvy users messing with the clock. Once it’s been around for 30 minutes, the app will take its own icon off the home screen, if it’s present, and replace it with a dummy shortcut. This means that users who catch on to the behavior and try to uninstall the app by simply dragging it to a trash can on their home screen will be thwarted.
The app also has ways of checking if a user is actually present before displaying full-screen ads, one of which can be seen in the gallery below. This is presumably to maximize profits by guaranteeing ad providers against accusations of ad fraud, a problem that has been running wild in recent years and costing both developers and advertisers a hefty chunk of change, both directly and indirectly.
The app uses various checks to space out the ads and make sure it doesn’t show the same one back to back. Though this may make the adware a tiny bit less annoying for users, the default ad time set is five minutes, and there’s no way to exit.
While this is obviously different for each ad and probably doesn’t reach the full five minutes to avoid users getting fed up and turning off their devices or otherwise disengaging, the possibility of a user’s device being all but taken over for a full five minutes is, in a word, terrifying.
To add insult to injury, many of the API calls responsible for all of this behavior are encoded in simple Base64, a crude attempt at hiding the behaviors from security researchers and power users that enjoy tearing into APK files to see what goes into the apps and games that they love. Thankfully, the ads are the only malicious behavior these ads have, and they don’t even make any extra efforts to avoid being uninstalled. This means that users who can actually bear the woeful tide of ads can feel free to use the apps, in whatever capacity to which they perform their advertised function.
Despite all the measures taken to make the malware bearable, adware is adware. In the Android world, the only time an app is supposed to be displaying any ad more intrusive than a simple dismissible notification, at least if it’s an app in the Play Store, is while the app is active in the foreground. Users can avoid ending up with this sort of adware, and other nastiness, by running a security app on their devices, such as TrendMicro or Lookout, as well as checking reviews before installing anything.