43 Android apps in Google Play with 2.5M installs loaded ads when a phone screen was off

Pierluigi Paganini August 08, 2023

Experts found 43 Android apps in Google Play with 2.5 million installs that displayed advertisements while a phone’s screen was off.

Recently, researchers from McAfee’s Mobile Research Team discovered 43 Android apps in Google Play with 2.5 million installs that loaded advertisements while a phone’s screen was off.

The experts pointed out that this behavior violates Google Play Developer policy, in impacts the advertisers who pay for Ads that will be never displayed to the users, and also the users because it drains battery, consumes data, and exposes them to multiple risks, including information leaks and disruption of user profiling caused by Clicker behavior. 

The malicious apps include TV/DMB players, music downloaders, news apps, and calendar applications.

Google Play

The Ad Fraud campaign uncovered by McAfee targeted mainly Korean Android users.

According to the report the ad fraud library used in this campaign implements specific tricks to avoid detection and inspection, such as delaying the initiation of its fraudulent activities.

“It deliberately delays the initiation of its fraudulent activities, creating a latent period from the time of installation. What’s more, all the intricate configurations of this library can be remotely modified and pushed using Firebase Storage or Messaging service. These factors significantly add to the complexity of identifying and analyzing this fraudulent behavior.” reads the report. “Notably, the latent period typically spans several weeks, which makes it challenging to detect.”

The rogue apps start fetching and loading the ads when the device screen is turned off after the latent period. The users will never know that their devices are involved in this fraudulent scheme. The ad library registers device information by accessing the unique domain (ex: mppado.oooocooo.com) linked with the application. The app retrieves the specific advertisement URL from Firebase Storage and shows the ads.  

However, quickly turning on the screens it is possible to catch a glimpse of the ad before it is automatically closed. 

“In conclusion, it is essential for users to exercise caution and carefully evaluate the necessity of granting permissions like power saving exclusion, or draw over other apps before allowing them. While these permissions might be required for certain legitimate functionalities for running in the background, it is important to consider the potential risks linked with them, such as enabling hidden behaviors or reducing the relevance of ads and contents displayed to users because the hidden Clicker behavior.” concludes the report

The researchers also shared indicators of compromise (IoCs) for these apps along with the name of the Android Packages.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google Play)

you might also like

leave a comment