The malware-infected apps include a variety of industries, including gaming, anti-virus, VPN, tutorials, gaming, social media and many more.
Bitdefender, a leading cybersecurity company, has recently revealed the existence of a massive and sophisticated mobile malware campaign that has been operating undetected on Android devices across the globe for more than six months.
The campaign, which poses a significant threat on a global scale, primarily aims to aggressively distribute adware to Android devices with the intention of generating revenue for the malicious actors involved. However, the researchers warn that these threat actors have the capability to switch tactics, potentially redirecting users to more dangerous forms of malware such as banking Trojans or ransomware.
So far, Bitdefender has identified over 60,000 unique apps carrying the adware, suggesting that there may be many more variants still lurking in the wild. This is a large number of malicious apps and underscores the importance of users downloading apps only from the official Play Store or the official websites of service providers. For instance, this will help ensure that your security app is not malicious and that the premium VPN you’ve just installed does not sell your data to advertisers.
Here are the countries most impacted by the new malware campaign:
- United States 55.27%
- South Korea 9.8%
- Brazil 5.96%
- Germany 2.93%
- United Kingdom 2.71%
- France 2.56%
- Kazakhstan 2.5%
- Romania 2.41%
- Italy 1.93%
- Other 12.19%
One of the remarkable aspects of this malware campaign is its longevity, as it has remained active since at least October 2022. The absence of behaviour-based detection capabilities on Android has enabled the malware to evade detection for such an extended period. Moreover, the sheer number of unique samples discovered strongly indicates that the operation is largely automated.
What sets this malware campaign apart is its distribution strategy. The malicious apps are not present in official app stores, requiring the perpetrators to convince users to download and install third-party applications. To accomplish this, the threat actors have disguised their malicious software as highly sought-after apps that are typically not found in official stores or have mimicked legitimate applications available on the Play Store.
The apps imitate various popular categories, including game cracks, unlocked game features, free VPNs, fake videos, Netflix, fake tutorials, ad-free versions of YouTube/TikTok, cracked utility programs, and fake security programs. Here is the full list shared by the researchers:
- Netflix
- Free VPN
- Fake videos
- Fake tutorials
- Game cracks
- Fake security programs
- YouTube/TikTok without ads
- Games with unlocked features
- Cracked utility programs: weather, PDF viewers, etc
The distribution of this malware occurs organically when users search for these specific types of apps, cracks, or mods. Websites dedicated to offering modded apps have become popular platforms for such distribution. When a user visits a website through a Google search for a “modded” app, they may be redirected to a deceptive page hosting the malware disguised as a legitimate download for the desired mod.
Bitdefender’s researchers have discovered the malware’s sophisticated techniques to remain hidden and ensure its persistence on infected devices. By not registering any launchers during installation, the malware avoids displaying an app icon on the device’s launcher.
The malware also employs a special packer that utilizes the SQLCipher package to encrypt its malicious content. Bitdefender’s technical blog post includes further details about the infection process.
To protect Android devices from this widespread malware campaign and similar threats, it is crucial to employ a robust security solution capable of detecting and preventing such attacks.
Users are strongly advised against downloading apps from third-party app stores or websites, as these platforms pose a higher risk of malware infection. It is always safest to stick to official app stores for app downloads.