Google Play Store Apps Laced With New Adware

It can’t be easy to run a large corporation, but Google execs apparently are learning that it’s downright daunting, especially when a third party finds adware in one of the company's top services.

Security Intelligence Blog Trend Micro has found another flaw in Google Play. In an example of adware’s potential impact, a new form uses unique techniques to evade detection through user behavior and time-based triggers. It also displays advertisements that are difficult to close.

The apps laced with adware posed as 85 photography or gaming applications on Google Play, where they have netted more than eight million downloads in aggregate. Many appear to be camera related.

Trend Micro disclosed the findings to Google, which reportedly removed the apps from the Play Store. Searching for them doesn't appear to reveal the apps, including Super Selfie, and Magic Camera. The list of apps are published here.



It’s interesting how the adware checks for user behavior or preferences. Ecular Xu, mobile threat response engineer at Trend Micro, explains in a post that “it first records two timestamps: the current time (the device’s system time) as installTime, and the network time, whose timestamp is retrieved by abusing a publicly available and legitimate RESTful application programming interface (API), then stored as networkInstallTime.”

Each time the user unlocks the device, the adware will perform several checks before it executes its routines. It compares the current time -- the time on the device -- with the timestamp stored as installTime. Then it compares the current network time, queried at a RESTful API, with the timestamp stored as networkInstallTime.

“From this information the adware-embedded app can determine whether it has been installed on the device long enough, with the default delay time configured to 30 minutes, Xu writes.

If the app determines it has been installed for more than 30 minutes, it hides its icon and creates a shortcut on the device’s home screen. The app uses Java reflection to evade detection.

Users are then forced to view the entire duration of the ad before being able to close it or go back to app itself.

Next story loading loading..