The adware has the capability to disappear every 15 minutes to avoid detection.
Trend Micro researchers have identified several apps on Google Play Store that contain adware and can display ads that keep reappearing after every 15 minutes.
The company revealed that two barcode reader apps namely “QR & Barcode Scanner” and “Barcode Reader” both are adware apps and have been downloaded over a million times.
However, while researching, Trend Micro was able to discover 51 different apps demonstrating similar behavior as the abovementioned apps. Most of them were either removed by Google already or were being distributed via third-party websites or online marketplaces.
The barcode reader apps were infected with AndroidOS_HiddenAd.HRXJA, that worked in the background and launched ads that kept disappearing from view. The apps could disguise as other legit apps such as Facebook and kept working in the background even when the device wasn’t in use.
Trend Micro further noted that the apps were launched as legitimate barcode readers in 2018 and adopted ad-serving functionality later in 2019. Gradually their capabilities were improved to reach a particular level of sophistication.
According to the company’s blog post, these ads were displayed every 15 minutes and closed immediately when the user tries to open them. Hence, a user can only view brief flashes of the ads, but this is sufficient time to register a false ad impression and make money.
Moreover, their behavior is being controlled through a malicious C&C server that sends the apps’ configuration information and commands as well as ad IDs to guide the malware about its next activity.
The Android malware can also open specific content in the infected device’s browser or initiate an activity with the FLAG_ACTIVITY_NEW_TASK so that the user stays unaware of which app initiated the new task.
All that the victim can realize is that their phone’s screen flashes every 15 minutes and considers it a hardware/panel related issue. Even if the user tries to investigate who’s running the ad flashes, the app would not be located as it can disguise itself under a fake app name and icon.
Google has now removed the apps from its Android platform after Trend Micro reported the threat. Yet, the chances are there can be more apps with similar behavior who went unchecked and unreported.
Therefore, if you are an Android user refrain from installing unnecessary apps, use reliable anti-virus software, and keep your device updated. In case you find an app with malicious function, use this link to report it to Google.