In early August 2022, the McAfee Mobile Research team identified a new virus, called HiddenAds, making its way through the Google Play store. According to the McAfee researchers, this virus has already affected more than one million users, a number expected to increase in the coming weeks.
Attackers, taking advantage of the open development platform of Google Play, embed HiddenAds code into over a dozen device cleaner or optimization apps in the Google Play store. Once installed, the malicious code executes and begins taking over services on the device while disguising itself by using the Google Play icon.
HiddenAds is designed in a way that code can self-execute even if the app is never accessed on an infected device. This ensures that a device is soon overrun by its payload, resulting in degraded device performance, unwanted advertising (which may download additional threats), or be autosubscribed to apps and services that download or bill the user without their knowledge.
The impact of HiddenAds on user privacy and the potential for intrusion into banking apps or stored credit card accounts can’t be overstated. This also illustrates a larger problem with Google Play and its ability to be easily used as a launching pad for even worse attacks.
The recent discovery of HiddenAds within commercial apps in the Google Play store has proven (again) that app stores are a perfect way to quickly distribute any form of malware. Coders can take advantage of these vast distribution networks to slip malicious code onto millions of Android-based mobile devices before attracting any notice.
The Google Play store is the largest attack vector for the targeting of mobile devices, with almost two of every three mobile device malware infections coming from the apps hosted on the platform. This is due to its open development platform, and the lack of in-depth app reviews, such as those performed by Apple. And although malware occasionally makes it through the Apple Store, it’s not nearly as common an occurrence as it is for Google Play.
This should be a concern for any Android user. In the case of HiddenAds, the attack only amounts to performance degradation, some unwanted ads, and a few mischarges on a bill. But what happens when the stakes become higher and attack vectors such as HiddenAds morph into the realm of ransomware?
Android users must remain especially vigilant when seeking out Google Play Store apps. Sticking to apps from large, known publishers is a good approach. Reviewing the update history for an app will indicate if its developers take its security seriously. And should the device suddenly start to experience performance issues, reset it immediately to factory defaults, change all relevant passwords, and monitor financial statements closely for at least 90 days.