The infected apps hide and promote themselves aggressively on Facebook showing continuous advertisements to victims in a variety of ways. When this malware is installed on the victim’s device, they run malicious services automatically upon installation even without needing any user interaction to open the apps. To promote these apps to new users, the malware authors created advertising pages on Facebook, as it is the link to Google Play distributed through legitimate social media, leaving little margin for doubt for the users.
The adware apps abuse the Contact Provider Android component, which allows the transfer of data between the device and online services. For this, Google provides ContactsContract class, which is the contract between the Contacts Provider and applications. “In ContactsContract, there is a class called Directory. A Directory represents a contacts corpus and is implemented as a Content Provider with its unique authority. So, developers can use it if they want to implement a custom directory. The Contact Provider can recognize that the app is using a custom directory by checking special metadata in the manifest file,” McAfee wrote in a blog post. “The important thing is the Contact Provider automatically interrogates newly installed or replaced packages. Thus, installing a package containing special metadata will always call the Contact Provider automatically.” The first activity of this malware is to create a permanent service for displaying the advertisements. If the service process is “killed” (terminated), it regenerates immediately.
Next, they change their icons and names using the
According to McAfee, users have already installed these apps from 100K to 1M+. Given below is the list of unusually high download numbers for such applications: Most of the affected users belong to countries like South Korea, Japan, and Brazil. McAfee has already disclosed this threat to Google and all reported applications were removed by the search giant from the Play Store. In case, if you have any of the aforementioned apps installed on your Android smartphone, it is recommended to uninstall them manually from the device.