March 18, 2015
13 More Pieces of Adware Slip Into the Google Play Store
Unfortunately, even official app stores’ app-vetting systems are not perfect. Lookout has found 13 instances, or apps, with adware in Google Play, some of which pretend to be Facebook and have malware-like characteristics making it difficult to remove from the phone.
We alerted Google to these 13 instances and the company quickly removed them from the store. All Lookout users are protected against this threat.
In the last month, a number of reports about adware in Google Play have surfaced. At the beginning of February, researchers found three instances of adware that allegedly withheld its aggressive advertising behavior for 30 days before serving victims ads and scaring them into opening web pages with risky content. In late February, researchers uncovered 10 more instances of adware that performed similar behavior.
Two families of adware called HideIcon and NotFunny hide within the 13 new instances Lookout found. In total, these instances have been downloaded over half a million times on the high end of Google’s download count and around 130,000 on the low end. Let’s take a look at the latest threats:
HideIcon
How many instances: 1
What is it: HideIcon actually has some qualities of malware in that, once it’s on the device, HideIcon does just what its title suggests it would: it hides the icon. This wouldn’t seem like such a big deal except to say that it makes it much harder to remove an app from your phone that you don’t know exists. After it hides the icon, variants of HideIcon will push aggressive ads to the user, disrupting their experience of the device. There seem to be no terms of service and the app does not provide value to the user.
Cheetah Mobile first found this adware in January, after which Google removed five rogue app instances housing it. Somehow, however, HideIcon slipped back into the Google Play system in this app.
What were the instances like: The app pretends to be the card game complete with a description in Google Play on how to play. At the time of removal, people downloaded the app 1,000 to 5,000 times.
NotFunny
How many instances: 12
What is it: NotFunny has two parts: a “dropper” and the “payload,” or the adware itself. The dropper hides in applications such as a “free Christmas ringtones app,” wallpaper apps, a fake laser pointer app, and others. When a victim downloads one of these apps and launches it, the dropper prompts him to download the payload. This payload app pretends to be Facebook, dropping a Facebook icon to the phone’s app launcher and asks for a number of permissions including “your personal information,” “services that cost you money,” “your messages,” “your location.” Once installation is complete the payload hides its icon.
Like most adware, the payload pushes aggressive advertising to the phone, disrupting the user’s experience. The code is fairly rudimentary and does not indicate that a sophisticated adversary is behind the threat.
What were the instances like: Lookout found 12 different instances of NotFunny in Google Play from a number of different developer accounts. Whether these accounts were run by different individuals is unknown. The apps ranged in topic from a “funny voice changer” to tools that supposedly change your battery widget into things like a burning cigarette. It’s easy to imagine a situation in which someone who just got a brand new phone would go running to download new, fun apps to personalize their experience of the device and stumble upon these.
After Google removed a group of applications, the developer behind them re-uploaded two of the apps, this time with the adware component removed. This could suggest that the developer added adware into the app without knowing its aggressive properties or didn’t understand Google’s rules. Of course, the developer could also simply have realized he or she wasn’t going to get away with it anymore as well.
Can we trust Google Play?
The short answer is yes. It takes industry collaboration to be able to secure app store environments and Google works diligently with security companies to ensure the apps in the Google Play are of quality. When a rogue app slips through, however, Google removes the apps as quickly as possible.
But the reality is, we need multiple lines of defense to make sure that our devices are safe.
How to stay safe
- Make sure you’re reading app reviews -- if they say, “This app keeps giving me ads!” or other negativity, second guess the app
- Download from known or trusted developers. Do a little research on the developer if you feel as if an app is obscure.
- Make sure you have a security app installed that can detect threats such as adware before they disrupt you
- Read app permissions before you install an application.
How to remove adware
There are two ways to uninstall an app from your Android device if the app hides its icon. You can remove it through the settings menu:
- Navigate to your Android device’s setting menu
- Select “apps” or “application manager”
- Locate the app you wish to uninstall and tap it
- Select “uninstall”
Or, you can directly uninstall it from the Google Play store:
- Navigate to the Google Play Store app
- Tap the menu icon
- Navigate to “My apps”
- Tap the app in question
- Select “uninstall”