Google’s Android operating system is installed on more than 2.5 billion devices across the globe – that makes it a huge target for hackers, malware and other menacing threats. Last week, McAfee released a new mobile threat report that not only discusses the latest trends in malware and how it will change going forward, but it also highlights three new types of malware affecting Android that are particularly concerning.
The first is called HiddenAds and – as the name suggests – is designed to bombard your device with adverts while also concealing itself to make it difficult for users to root out.
McAfee said it analysed two instances of HiddenAds, one of which was an app pretending to be the hit blockbuster Call of Duty while the other was posing as FaceApp – the app that rose to prominence last year for its ageing filter.
Unlike the genuine version of both apps though, these nasty doppelgängers were noted to change their copycat icons to mimic the Settings app of an infected device. If the user clicks on the dummy icon, it will display a message reading “application is unavailable in your country. Click OK to uninstall”. Pressing the OK button doesn’t dismiss the message, instead it completes the installation of the malware and hides the fake Settings app icon entirely.
Of course, this is done to make HiddenAds harder to detect on an infected device. Unlike a bunch of other adware that has infected Android in the past, McAfee noted HiddenAds uses a time interval to vary the number of adverts displayed, making it more discreet in some circumstances.
Android is installed on more than 2.5 billion devices across the globe
The security firm explained: “Earlier variants of HiddenAds displayed ads frequently, trying to generate as much fraudulent revenue as possible before being removed. These new versions use a time interval to manage the number of ads displayed in the hopes of remaining undiscovered.
“The version that McAfee Mobile Research analysed contained two timers: Install Frequency and Start Delay. Install Frequency, which was set to 1,000 seconds (16 minutes and 40 seconds), limits the rate of install requests.”
In addition to displaying annoying adverts, HiddenAds was also noted to be capable of collecting “device and user information”.
McAfee went on: “HiddenAds poses multiple threats to mobile consumers beyond the annoying ads. This malware can collect device and user information, invading the user’s privacy. It can also suggest and distribute other malicious applications, based on the event triggers and monitoring the user’s behaviour.”
Android users are being plagued by three new dangerous types of malware
Second on McAfee’s malware hit list is Malbus – another dangerous piece of software that was noted to attack in an entirely new way.
Instead of disguising itself as popular apps like HiddenAds, Malbus was noted to go after popular Android apps and hack them. In particular, McAfee disclosed the South Korean transit app Daegu Bus was one such target.
“MalBus represents a new attack method. Instead of building a fake app and pushing it up the ranking with fake reviews, these criminals went after the account of a legitimate developer of a popular app with a solid reputation”, McAfee said.
“Two variants of this app reported more than 100,000 and 500,000 installs. After the threat actors got into the account, they added an additional library to the apps and uploaded them to Google Play. During installation, the malicious library checks whether it is already installed, and, if not, runs an update process to download and dynamically load a malicious Trojan disguised as a media file.”
After it has been installed, Malbus will phish for a user’s Google account information by generating a copycat Google login screen prompting them to sign in. If the user falls for it, the malware will then attempt to alter the recovery email for the account in question, thereby allowing them to change the account’s password.
The example app described by McAfee – Daegu Bus – has since been removed from the Play Store.
Last, but certainly not least, LeifAccess is a type of malware capable of generating fake app rankings and reviews on the Play Store in an attempt to increase the downloads for malicious apps.
McAfee said LeifAccess is distributed through “fraudulent advertising” and gaming voice chat platform Discord. The security firm analysed LeifAccess and was eager to note the malware immediately makes it difficult for users to remove it – with no icon or shortcut for it is displayed on a device.
Additionally, it also shows a host of “fake warnings” that are utilised to get a user to activate a number of varying accessibility services.
McAfee explained: “These cover a range of vague but scary system warnings, such as ‘system needs to upgrade your video decoder,’, ‘application reduces your phone performance, please check it now,’ and ‘security error should be dealt with immediately’. In an effort to separate the warnings from installation, the malware waits up to eight hours before showing the fake notification.”
Even if a user disables the malware’s ability to take advantage of accessibility services, it was still noted to possess the ability to “perform click fraud and install other apps without accessibility functions”.
By far the most worrying aspect of LeifAccess is its ability to post fake reviews and rating for apps on the Google Play Store. The former were noted to be be pretty simple with a few words like “very simple and useful” and “great, works fast and good” being used. The malware was also noted to be capable of posting reviews in multiple languages, too.
Because many Android users scour reviews before they download an app to make sure it’s legitimate, LeifAccess certainly has the capability to trick individuals into downloading dangerous malware onto their device.
For this reason, it’s certainly advised fans look out for a stream of somewhat basic-sounding reviews that are eager to give it five stars without any real explanation as to why.
Additionally, it’s also worth doing your homework on a particular app developer – if they have a history of distributing apps plagued with malware, it’s probably not a good idea to install one of their apps on your device.