Security researchers at Malwarebytes have spotted a new Android malware that's disguised as an adblocker while simultaneously serving up ads. The app is detected as Android/Trojan.FakeAdsBlock and is found under a branding that's equal-parts common and vague. Dubbed Ads Blocker, the malware is particularly damaging with regard to how it both gains and keeps control.
Contrary to its name, Ads Blocker actually serves up multiple ads on a minute-to-minute basis rather than working as an adblocker. Those ads take several forms too, all while hiding itself in plain sight. After installation, the app doesn't appear in the app drawer and doesn't add a visible widget. Instead, it sets to work showing full-page, default browser, notification, and home screen ads.
In the latter case, that happens after it requests the creation of a widget. The app keeps that invisible and undiscoverable except when serving up ads.
Ads Blocker keeps any app manager or notification hints at its existence invisible as well. It accomplishes that by using a text color that matches the background, making the entries appear blank.
It obtains permission to implement that using API associated with permissions requests. Namely, those are "Allow display over other apps" and "Connection request" permissions. In the latter case, the app makes the request to "set up a VPN connection that allows it to monitor network traffic."
Neither permission is unusual for an adblocker app. In the latter case, the app even ads a key-shaped icon to the notification panel. That's meant to throw users off since there's actually no VPN running. It just lets the app continue running in the background.
Clicking on the blank notification also requests permission to install apps from third-party sources. So that's most likely a ploy to allow installation of further malware.
How to get rid of this ad-heavy "adblocker" malware
Ads are annoying under the best circumstances but Ads Blocker takes things to the extreme. Not only does it tend to periodically showcase ads that fall well outside of what most users would be comfortable with. The app also displays other ads that request further information from the user and that appear valid on the surface. The latter of those is almost certainly not legitimate.
Getting rid of the app isn't impossible or even overly challenging, yet. Or at least it isn't too difficult if no further apps have been installed by the app, although the implications of allowing third-party installations aren't immediately clear.
The easiest method to get rid of the app seems to depend on a quirk of Android. Developers are able to give the appearance of a blank entry in the app manager found in Settings. But the amount of storage space taken up by the app still shows a visible number regardless. So the app shows up as a blank app manager entry with a storage readout.
So, to remove the app, users need to navigate to Settings and then scroll to the section associated with Apps, All Apps, or Apps and Notifications. Within the resulting list of apps, users must scroll through until they see the blank app that only shows the storage allotment. Tapping on that should call forward a full set of details about its storage and memory use, among other things. An "Uninstall" button is placed near the top of the page.
This particular piece of ads-serving "adblocker" malware can also be detected and at least partially mitigated by installing threat detection software from a reputable source.
Not quite as easy as others to accidentally install
Ads Blocker is just the latest of dozens of instances of malware hitting Android in recent weeks and it isn't even the only one to serve up ads maliciously, specifically or to pose as an adblocker or some other app it isn't. There are also even worse instances of malware making recent appearances. That includes one referred to as Xhelper that is all but impossible to uninstall, even with a factory reset.
Ads Blocker doesn't exist among other apps on the Google Play Store either. Users must download the app from external sources. So it's not as likely to spread as widely since most users are aware of how dangerous it can be to install apps that aren't vetted by Google. Even some of those that are aren't entirely safe.