Android Malware

Android malware app found with 2 million installs on Google Play

A new batch of 35 malware Android apps showing unwanted advertisements were found in the Google Play Store, and these apps were installed more than 2 million times on victims’ mobile devices.

The apps were discovered by security researchers at Bitdefender, who employ behavior-based real-time analytics to spot potentially malicious apps.

Following standard tactics, these apps lure users into installing them by pretending to offer some special functionality, but change their name and icon immediately after installation, making them difficult to find and uninstall.

Since then, malicious apps have begun to misuse WebView to deliver intrusive ads to users, generating fraudulent impressions and ad revenue for their operators.

Additionally, since these apps use their own framework to load ads, they may place additional payloads on infected devices.

hide method

As Bitdefender explained in the report, adware apps implement multiple methods to hide on Android and even receive future updates to make it easier to hide on the device.

Once installed, these apps often take on a gear icon and rename themselves to “Settings” to evade detection and removal.

If the user clicks the icon, the application launches a malware application of size 0 to hide the view. The malware then launches a legitimate settings menu, tricking users into thinking they’re launching the correct application.

Function to activate system settings
Function to activate system settings (Bit Guard)

In some cases, the application will take on the appearance of a Motorola, Oppo or Samsung system application.

The malicious application also has extensive code obfuscation and encryption to thwart reverse engineering efforts, hiding the main Java payload in two encrypted DEX files.

Another way for apps to hide from the user is to exclude themselves from the “Recent Apps” list, so even if they’re running in the background, exposing active processes won’t show them.

Top apps that serve ads

The 35 malicious Android apps had downloads ranging from 10,000 to 100,000, with a total of more than 2 million downloads.

The most popular of these, with 100,000 downloads, are as follows:

  • Wall Lights – Wallpaper Pack (gb.packlivewalls.fournatewren)
  • Big Emoji – Keyboard 5.0 (gb.blindthirty.funkeyfour)
  • Big Wallpaper – 3D Backgrounds 2.0 (gb.convenientsoftfiftyreal.threeborder)
  • Engine wallpaper (gb.helectronsoftforty.comlivefour)
  • Stock wallpapers (gb.fiftysubstantiated.wallsfour)
  • EffectMania – Photo Editor 2.0 (gb.actualfifty.sevenelelegantvideo)
  • Art Filter – Deep Photoeffect 2.0 (gb.crediblefifty.editconvincingeight)
  • Fast Emoji Keyboard APK (de.eightyamocenko.editioneights)
  • Create stickers for Whatsapp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix)
  • Math Solver – Camera Assistant 2.0 (gb.labcamerathirty.mathcamera)
  • Photopix Effects – Art Filters 2.0 (gb.mega.sixtyeffectcameravideo)
  • Led Theme – Color Keyboard 2.0 (gb.theme.twentythreetheme)
  • Animated Sticker Master 1.0 (am.asm.master)
  • Sleep Sounds 1.0 (com.voice.sleep.sounds)
  • Personality Charging Show 1.0 (
  • Image warping camera
  • GPS Locator (smart.ggps.lockakt)

Of these, “Walls light – Wallpaper Pack”, “Animated Sticker Master” and “GPS Locator” are still available on the Play Store at the time of writing.

Adware still available on Play Store
Adware still available on Play Store

Bleeping Computer has reached out to Google regarding this matter and we will update this post as soon as we hear back.

The remaining apps listed are available on several third-party app stores such as APKSOS, APKAIO, APKCombo, APKPure, and APKsfull, but the download counts shown are from their time on the Play Store.

That said, if you’ve installed any of these apps in the past, you should immediately find and delete them from your device.

Since these apps masquerade themselves as settings, running a mobile AV tool to locate and remove them may help in this case.

Leave a Comment

Your email address will not be published.