Beware Of New Malware on The Google Play Store Disguising Themselves as Cleaner Apps

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Researchers at McAfee’s Mobile Research Team

“They try to hide themselves to prevent users from noticing and deleting apps. Change their icon to a Google Play icon that users are familiar with and change its name to ‘Google Play or ‘Setting’”, explains McAfee’s Mobile Research Team.

Malware hides itself by changing icons and names

Display Advertisements to Victims

A sudden display of advertisements

These services suggest users run an app when they install, uninstall, or update apps on their devices.

A button to suggest user to run an app

Promoting Apps to New Users

The malware authors created advertising pages on Facebook, as it is the link to Google Play distributed through legitimate social media, leaving little margin for doubt for the users.

Advertisement Pages on Facebook

The Working of the Malware

The adware apps abuse the Contact Provider Android component, which allows the transfer of data between the device and online services. For this, Google provides ContactsContract class, which is the contract between the Contacts Provider and applications.

Experts say, there is a class called Directory. A Directory represents a contacts corpus and is implemented as a Content Provider with its unique authority. Therefore, the developers can use it if they want to implement a custom directory. The Contact Provider can recognize that the app is using a custom directory by checking special metadata in the manifest file.

“The important thing is the Contact Provider automatically interrogates newly installed or replaced packages. Thus, installing a package containing special metadata will always call the Contact Provider automatically”, according to the recent blog post from McAfee.

Also, they change their icons and names using the <activity-alias> tag to hide.

Final Word

According to McAfee telemetry data, this malware and its variants affect a wide range of countries, including South Korea, Japan, and Brazil. Particularly, it is not easy for users to notice this type of malware.

For users who have installed the above-mentioned apps on their Android smartphone, it is advisable to uninstall them manually from the device.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates.