Android malware

A new batch of malicious Android apps filled with adware and malware was found on the Google Play Store that have been installed close to 10 million times on mobile devices.

The apps pose as image-editing tools, virtual keyboards, system optimizers, wallpaper changers, and more. However, their underlying functionality is to push intrusive ads, subscribe users to premium services, and steal victims’ social media accounts.

The discovery of these malicious apps comes from the Dr. Web antivirus team, who highlighted the new threats in a report published today.

Google has removed the vast majority of the presented applications, but at the time of writing this, three applications remain available for download and installation via the Play Store.

Also, if you installed any of these apps before their removal from the Play Store, you will still need to uninstall them from your device manually and run an AV scan to clean any remnants.

The new malicious Android apps

The adware apps discovered by Dr. Web are modifications of existing families that first appeared on the Google Play Store in May 2022.

Upon installation, the apps request permission to overlay windows over any app and can add themselves to the battery saver’s exclusion list so they can continue running in the background when the victim closes the app.

Malicious apps requesting exclusion from battery saver
Malicious apps requesting exclusion from battery saver (Dr. Web)

Additionally, they hide their icons from the app drawer or replace them with something resembling a core system component, like “SIM Toolkit”.

Attempting to trick users with icon replacement
Attempting to trick users with icon replacement (Dr. Web)

The full list of adware apps can be found at the bottom of the article, but one notable example still on the Play Store is ‘Neon Theme Keyboard,’ which has over a million downloads despite the 1.8-star score and many negative reviews.

“This app “killed” my phone. It keep’d crashing , i couldn’t even enter password to unlock phone and uninstall it. Eventually, I had to make a complete wipe out (factory reset), to regain phone. DO NOT , install this app !!!!,” read a review of the app on the Google Play Store.

One of the adware-hiding apps
One of the adware-hiding apps

The second category of malicious apps found on the Play Store is Joker apps, known for incurring fraudulent charges on victims’ mobile numbers by subscribing them to premium services.

Two of the listed apps, ‘Water Reminder’ and ‘Yoga – For Beginner to Advanced,’ are still on the Play Store, having 100,000 and 50,000 downloads, respectively.

Two of the trojanized apps still on the Play Store
Two of the trojanized apps still on the Play Store

Both provide the promised functionality, but they also perform malicious actions in the background, interacting with invisible or out-of-focus elements loaded via WebView and burdening the users with charges.

Finally, Dr. Web highlights two Facebook account stealers distributed in image editing tools that apply cartoon filters over regular images.

These apps are ‘YouToon – AI Cartoon Effect’ and ‘Pista – Cartoon Photo Effect,’ which have been collectively downloaded over 1.5 million times via the Play Store.

Very popular image editor that's actually a Facebook stealer
Very popular image editor that’s actually a Facebook stealer (Dr. Web)

BleepingComputer has contacted Google about the malicious apps remaining on the Play Store but has not heard back at this time.

Staying safe on the Google Play Store

Android malware will always find a way to creep into the Google Play Store, and sometimes apps can stay there for several months, so you should not blindly trust any app can blindly trust no apps.

Due to this, it is vital to check user reviews and ratings, visit the developer’s website, read the privacy policy, and pay attention to the requested permissions during installation.

Additionally, always ask yourself if the promised functionality is necessary to you, as keeping the number of apps on your phone at a minimum is a reliable way to reduce the chances of malware infections.

Finally, ensure that Play Protect is active on your device and regularly monitor your internet data and battery consumption to identify any suspicious processes that run in the background.

As previously stated, users should also check to see if they have any of the following Android adware apps install on their devices, and if found, manually remove them and scan for viruses.

  • Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
  • Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
  • Photo Editor: Art Filters (gb.painnt.moonlightingnine)
  • Photo Editor – Design Maker (gb.twentynine.redaktoridea)
  • Photo Editor & Background Eraser (de.photoground.twentysixshot)
  • Photo & Exif Editor (de.xnano.photoexifeditornine)
  • Photo Editor – Filters Effects (de.hitopgop.sixtyeightgx)
  • Photo Filters & Effects (de.sixtyonecollice.cameraroll)
  • Photo Editor : Blur Image (de.instgang.fiftyggfife)
  • Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
  • Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
  • Neon Theme Keyboard (com.neonthemekeyboard.app)
  • Neon Theme – Android Keyboard (com.androidneonkeyboard.app)
  • Cashe Cleaner (com.cachecleanereasytool.app)
  • Fancy Charging (com.fancyanimatedbattery.app)
  • FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
  • Call Skins – Caller Themes (com.rockskinthemes.app)
  • Funny Caller (com.funnycallercustomtheme.app)
  • CallMe Phone Themes (com.callercallwallpaper.app)
  • InCall: Contact Background (com.mycallcustomcallscrean.app)
  • MyCall – Call Personalization (com.mycallcallpersonalization.app)
  • Caller Theme (com.caller.theme.slow)
  • Caller Theme (com.callertheme.firstref)
  • Funny Wallpapers – Live Screen (com.funnywallpapaerslive.app)
  • 4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
  • NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
  • Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
  • Notes – reminders and lists (com.notesreminderslists.app)

Source: www.bleepingcomputer.com