Crooks are copying legitimate apps and lace them with “out-of-context” adware components. Users are having difficulty realizing which app is serving the intrusive ads. The apps have been removed from the Play Store, but only after 10 million people downloaded them. A team of researchers at ‘Satori Threat Intelligence’ has found 164 copycat Android apps that have a total of 10 million downloads on the Play Store. Google has already removed all of them following the relevant reports, but a large number of people may still be using them on their devices.
All of these apps mimic popular software projects like mobile AV tools or games, but in reality, they are just adware. The scammers who create these apps copy the code of legitimate apps and lace it with adware components.
As the ads are served and displayed out of the context of the application’s functionality, many users don’t realize which the culprit app is. Furthermore, these copycat apps use dynamically changing configurations controlled by a command-and-control JSON hosted on Dropbox, so the actors can change the ad-serving frequency, set tricky time delays, change the Publisher ID, and more.
To further obfuscate these apps’ malevolent operation, their authors have set the interstitial processes to be excluded from the “recent apps” list by default. This makes it harder for the users to figure out where the intrusive apps come from. Considering that the ads are typically served when the laced app isn’t even actively running, users would go through a lot of trial and error in order to figure out what causes the adware trouble on their devices.
This discussion appeared on TechNadu and WhiteOps blog .