It can’t be
easy to run a large corporation, but Google execs apparently are learning that it’s downright daunting, especially when a third party finds adware in one of the company's top services.
Security Intelligence Blog Trend Micro has found another flaw in Google Play. In an example of adware’s potential impact, a new form uses unique techniques to evade detection through user
behavior and time-based triggers. It also displays advertisements that are difficult to close.
The apps laced with adware posed as 85 photography or gaming applications on Google Play, where
they have netted more than eight million downloads in aggregate. Many appear to be camera related.
Trend Micro disclosed the findings to Google, which reportedly removed the apps from the Play
Store. Searching for them doesn't appear to reveal the apps, including Super Selfie, and Magic Camera. The list of apps are published here.
It’s interesting how the adware checks for user behavior or preferences. Ecular Xu, mobile threat response engineer
at Trend Micro, explains in a post that “it first
records two timestamps: the current time (the device’s system time) as installTime, and the network time, whose timestamp is retrieved by abusing a publicly available and legitimate RESTful
application programming interface (API), then stored as networkInstallTime.”
Each time the user unlocks the device, the adware will perform several checks before it executes its
routines. It compares the current time -- the time on the device -- with the timestamp stored as installTime. Then it compares the current network time, queried at a RESTful API, with the timestamp
stored as networkInstallTime.
“From this information the adware-embedded app can determine whether it has been installed on the device long enough, with the default delay time configured
to 30 minutes, Xu writes.
If the app determines it has been installed for more than 30 minutes, it hides its icon and creates a shortcut on the device’s home screen. The app uses
Java reflection to evade detection.
Users are then forced to view the entire duration of the ad before being able to close it or go back to app itself.