The mobile platform is ubiquitous — enabling users to make online transactions, run their everyday lives, or even use it in the workplace. It’s no surprise that fraudsters and cybercriminals would want to cash in on it. Delivering adware, for example, enables them to monetize affected devices while attempting to be innocuous. And while they may be viewed as a nuisance at best, mobile ad fraud– and adware-related incidents became so rampant last year that it cost businesses hefty financial losses.
We found another example of adware’s potential real-life impact on Google Play. Trend Micro detects this as AndroidOS_Hidenad.HRXH. It isn’t your run-of-the-mill adware family: Apart from displaying advertisements that are difficult to close, it employs unique techniques to evade detection through user behavior and time-based triggers.
These adware-laden apps posed as 85 photography or gaming applications on Google Play, where they have netted more than eight million in combined downloads. We’ve disclosed our findings to Google, and the adware-embedded apps are no longer on the Play store.
Figure 1. Screenshot of the applications embedded with adware
How the adware checks for user behavior or presence
After the app is launched, it first records two timestamps: the current time (the device’s system time) as “installTime”, and the network time, whose timestamp is retrieved by abusing a publicly available and legitimate RESTful application programming interface (API), then stored as “networkInstallTime”.
adware posing photography gaming google installed million times
