Apple and Google have cumulatively removed over 50 apps from their respective mobile app stores that were found serving malicious ads to millions of users.
The findings were were disclosed separately by London-based mobile security firm Wandera and Slovakian security solutions provider ESET.
Disruptive ad behavior
ESET found at least 42 Android apps that were available on the Google Play store, which contained a new strain of adware called Ashas.
The apps, installed more than eight million times since they first debuted in July 2018, have been traced back to a Vietnamese university student in Hanoi.
Once installed, the app didn’t just serve disruptive fullscreen ads, but also connected to a remote server to send details about the infected device: device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and Developer mode enabled, and whether Facebook and Facebook Messenger are installed.
The Android apps also had one other clever trick up their sleeves: geofencing Google’s IP addresses to hide the adware behavior so that it would bypass Google Play security checks.
Although the malware-infested apps have been removed from Google Play, it’s possible they’re available on third-party app stores or already installed on people’s phones.
In a similar development, Wandera researchers found 17 iOS malicious apps that generated fraudulent ad clicks in order to inflate digital revenue.
The apps, published in different countries by an India-based developer AppAspect Technologies Pvt. Ltd., contained a stealthy clicker Trojan malware designed to commit ad fraud by clicking links sans any user interaction.
They were also found to communicate with a command-and-control (C2) server to trigger targeted advertising and even subscribing users to premium services without their knowledge — a behavior not observed in the developer’s Android apps.
Interestingly, this C2 server was flagged back in August by Dr. Web researchers, as part of a similar clicker trojan campaign on Android.
Artificially boosting ad revenues through phony ad clicks is a clear-cut case of App Store policy violation. So, it’s easy to see why Apple promptly took action.
It’s entirely possible that the developers had no idea of this rogue behavior until they were caught in the act. Incorporating third-party code from unknown sources can pave the way for sketchy software, turning an entirely innocuous app into something malware-infested.
Rising mobile malware threats
Malicious apps have continued to plague official app stores both for iOS and Android, as smartphones have proven to be a lucrative attack surface for criminals to carry out highly targeted campaigns.
Indeed, new research from BlackBerry Cylance has found that state-spsonsored threat groups from North Korea, China and Iran — including Winnti, Lazarus, Iron Husky, Sutr, and Domestic Kitten — are increasingly exploiting the mobile dimension for espionage campaigns by developing native Android and/or iOS mobile malware designed to spy on targets of interest.
“Techniques like those used in this example also point to more instances of malware being introduced into official app sources, making it more accessible to everyday consumers and mobile workers alike,” Wandera said.
Although Apple and Google’s official app stores are the some of the most secure places to download apps, malware-ridden apps have found one way or the other to get around the security checkpoints and slide into the platforms.
Adware, while less severe than other targeted campaigns, have been pervasive on Android. On iOS, not so much. If anything, the incident points to growing challenges with app screening process, what with the defences coming down in the face of such sophisticated adware attacks.
“Sneaking unwanted or harmful functionality into popular, benign apps is a common practice among ‘bad’ developers,” the researchers said, underscoring the need for carefully scrutinizing each app and their permissions before downloading them.
If you have installed one of the aforementioned apps, you should waste no time removing them from your devices.
Read next: Pardon the Intrusion #3: it's 2FA or bust