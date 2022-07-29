



By Dexter Singh

McAfee’s mobile research team has identified new malware on the Google Play store. Most of them are spoofing cleaner apps that help you remove junk files and optimize your battery for device management. However, the malware hides ads from victims and displays them continuously. In addition, it automatically runs malicious services without running the app during installation.

Hidden Ads Features and Promotions

Malicious activity is still present on Google Play, allowing victims to search for the following apps to optimize their device:

Figure 1. Google Play malware

Users may usually find it safe to install without running the app. However, you may need to change your mind because of this malware. When this malware is installed on a device, it runs without interaction and runs malicious services.

In addition, it tries to hide itself to prevent users from noticing or deleting the app. Change the icon to the Google Play icon you are familiar with and rename it to “Google Play” or “Settings”.

Figure 2. Malware hides itself by renaming the icon

Auto-run services constantly show ads to victims in a variety of ways.

Figure 3. Sudden display of ads

These services direct users to run the app when they install, uninstall, or update the app on their device.

Figure 4. Button that prompts the user to run the app

To promote these apps to new users, the malware author created an ad page on Facebook. It’s a link to Google Play distributed through legitimate social media, so users will definitely download it.

Figure 5. Facebook advertising page

How to use

This malware uses a contact provider. The contact provider is the source of the data displayed in the contacts application on your device. You can also access that data with your own application and transfer the data between your device and online services. To this end, Google provides the ContactsContract class. ContactsContract is a contract between a contact provider and an application. ContactsContract has a class called Directory. The directory represents the contact corpus and is implemented as a content provider with unique privileges. Therefore, developers can use it when implementing custom directories. Contact providers can recognize that your app is using a custom directory by checking special metadata in the manifest file.

Figure 6. Content providers declared with special metadata in the manifest

The important thing is that your contact provider will automatically contact the newly installed or replaced package. Therefore, the contact provider is automatically called whenever you install a package that contains special metadata.

The first activity defined in the application tag in the manifest file will be executed as soon as you install it by simply declaring the metadata. The first activity of this malware is to create a permanent malicious service for displaying advertisements.

Figure 7. Create a malicious service to display ads

In addition, the service process is spawned immediately, even if it is killed.

Figure 8. Malicious service processes that continue to spawn

Then change using the icon and name Tag to hide.

Figure 9. Infected users around the world changing app icons and names using tags

It has been confirmed that users have already installed 100,000 to over 1 million of these apps. Considering that the malware works during installation, the installed number is reflected as the victim’s number. According to McAfee telemetry data, the malware and its variants are affecting a variety of countries, including South Korea, Japan and Brazil.

Figure 10. Top countries affected include South Korea, Japan and Brazil Conclusion

This malware is an auto-launch malware, so it infects as soon as a user downloads it from Google Play. We are also constantly developing variants that are exposed by various developer accounts. Therefore, it is not easy for users to notice this type of malware.

This threat has already been disclosed to Google and all reported applications have been removed from the Play Store. McAfee MobileSecurity also detects this threat as Android / Hidden Ads and protects users from this type of malware. For more information on McAfee Mobile Security, please visit https://www.mcafeemobilesecurity.com.

Infringing application indicator: App name Package name Download junk cleaner cn.junk.clean.plp 1M + EasyCleaner com.easy.clean.ipz 100K + Power Doctor com.power.doctor.mnb 500K + Super Clean com.super.clean. zaz 500K + Full Clean -Clean Cache org.stemp.fll.clean 1M + Fingertip Cleaner com.fingertip.clean.cvb 500K + Quick Cleaner org.qck.cle.oyo 1M + Keep Clean org.clean.sys.lunch 1M + WindyCleanin.phone.clean. www500K + Carpet Clean og.crp.cln.zda100K + Cool Clean syn.clean.cool.zbc500K + Strong Clean in.memory.sys.clean500K + Meteor Clean org.ssl.wind.clean100K +

SHA256:

4b9a5de6f8d919a6c534bc8595826b9948e555b12bc0e12bbcf0099069e7df90 4d8472f0f60d433ffa8e90cc42f642dcb6509166cfff94472a3c1d7dcc814227 5ca2004cfd2b3080ac4958185323573a391dafa75f77246a00f7d0f3b42a4ca3 5f54177a293f9678797e831e76fd0336b0c3a4154dd0b2175f46c5a6f5782e24 7a502695e1cab885aee1a452cd29ce67bb1a92b37eed53d4f2f77de0ab93df9b 64d8bd033b4fc7e4f7fd747b2e35bce83527aa5d6396aab49c37f1ac238af4bd 97bd1c98ddf5b59a765ba662d72e933baab0a3310c4cdbc50791a9fe9881c775 268a98f359f2d56497be63a31b172bfbdc599316fb7dec086a937765af42176f 690d658acb9022765e1cf034306a1547847ca4adc0d48ac8a9bbdf1e6351c0f7 75259246f2b9f2d5b1da9e35cab254f71d82169809e5793ee9c0523f6fc19e4b a5cbead4c9868f83dd9b4dc49ca6baedffc841772e081a4334efc005d3a87314 c75f99732d4e4a3ec8c19674e99d14722d8909c82830cd5ad399ce6695856666

domain:

http[://]hw.sdk.functionads.com: 8100 \ x3Cimg height = “1” width = “1” style = “display: none” src = “https://www.facebook.com/tr?id=766537420057144&ev=PageView&noscript=1 “/> \ x3C / noscript>’);

