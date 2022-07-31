



Several adware apps are actively promoted on Facebook as system cleaners and optimizers for Android devices count millions of installs on Google Play Store.

The app lacks all promised features and pushes ads while trying to last as long as possible on the device.

To avoid removal, the app constantly changes its icon and name and hides on the victim’s device under the guise of Settings or the Play Store itself.

Rename installed app icons and names (McAfee)

Adware apps exploit the Contact Provider Android component to allow data transfer between your device and online services.

This subsystem is called every time a new app is installed, so adware can use it to initiate the ad serving process. Ads may appear to users to be pushed by legitimate apps that they have installed.

McAfee researchers have discovered an adware app. They point out that adware starts automatically with no interaction, so users don’t need to launch them after installation to see ads.

The first action from these unwanted apps is to create a persistent service to display ads.

Malicious service restarts immediately (McAfee)

The following video shows how the adware’s name and icon automatically change and serve ads without any user interaction.

Millions of downloads on Google Play

As McAfee commented in the report, users see the Play Store link on Facebook, leaving little doubt that they trust the adware app.

Facebook promotion for cleaner apps (McAfee)

This resulted in an unusually high number of downloads for certain types of applications, as shown in the list below.

Junk Cleaner, cn.junk.clean.plp, 1 million+ downloads EasyCleaner, com.easy.clean.ipz, 100,000+ downloads Power Doctor, com.power.doctor.mnb, 500,000+ downloads Super Clean, com.super.clean.zaz, 500k+ downloads Full Clean -Clean Cache, org.stemp.fll.clean, 1M+ downloads Fingertip Cleaner, com.fingertip.clean.cvb, 500K+ downloads Quick Cleaner, org .qck.cle.oyo, 1M+ downloads Keep Clean, org.clean.sys.lunch, 1M+ downloads Windy Clean, in.phone.clean.www, 500K+ downloads Carpet Clean, og.crp.cln .zda, 100k+ downloads Cool Clean, syn.clean.cool.zbc, 500k+ downloads Strong Clean, in. memory.sys.clean, 500k+ downloads Meteor Clean, org.ssl.wind.clean , over 100,000 downloads

Most affected users are based in South Korea, Japan and Brazil, but unfortunately the adware reaches users all over the world.

Heatmap of infected Android users (McAfee)

Adware apps are no longer available on the Play Store. However, the user who installed them must manually remove them from their device.

System cleaners and optimizers are a popular software category, even though they offer fewer benefits. Cybercriminals know that many users try such solutions to extend the life of their devices, often disguised as malicious apps.

