Sun. Feb 23rd, 2020

Google removed 85 apps with malicious advertising programs on Play Store

2 min read

Although the Google Play Store has very strict review conditions, however, the malicious app exists. To this end, Google will clean up the Play Store from time to time, and remove malicious programs that pretend to be regular applications (such as albums and games, etc.). In the latest wave of cleanups, Google cleaned up 85 apps with malicious programs.

Invoking Trend Micro reports, the 85 apps that were cleaned up from Play Store have very serious advertising problems. These apps carry adware called “AndroidOS_Hidenad.HRXH”. Trend Micro said the adware uses “unique technology” to help evade detection and display non-skippable, hard-to-close (full-screen) ads.

Image: trendmicro

After Trend Micro’s security experts discovered the app that carried the adware, they sent the relevant findings to Google, and then Google took positive action to delete it. So what is the “unique technology” that this adware uses to avoid immediate deletion?

“After the app is launched, it first records two timestamps: the current time (the device’s system time) as “installTime”, and the network time, whose timestamp is retrieved by abusing a publicly available and legitimate RESTful application programming interface (API), then stored as “networkInstallTime.

Every time the user unlocks the device, the adware will perform several checks before it executes its routines. It first compares the current time (the device’s system time) with the timestamp stored as installTime; it then compares the current network time (queried via a RESTful API) with the timestamp stored as networkInstallTime. With these, the adware-embedded app can determine if it has been installed on the device long enough, with the default delay time configured to 30 minutes. To a certain extent, using network time can evade time-based detection techniques or triggers employed by traditional sandboxes, as the app’s time settings can be configured by simply using networkInstallTime.”

The good news, however, is that there is no such risk as long as the user is running the latest Android version. Trend Micro said the adware appears to only affect devices that are still on Android 8.0 or earlier, as newer versions of Android will display a confirmation dialog before the app performs its dark tasks. The application of these adware has been downloaded more than 8 million times, which seems to mean that many users are still harassed by these malicious programs.