Researchers say a malware operation involving 224 malware-laden Android apps was particularly creative. They used a combination of tactics to disguise the malware and hide it from Google and security researchers.

Human Security, which revealed details of the operation, has labeled the operation as "SlopAds". Its ultimate goal was to hijack phones and tablets to make bogus clicks to make it look like a user has viewed an ad on a site operated by the scammers. They then collect revenue from advertisers who are unaware no human saw their message. (Source: humansecurity.com)

The researchers say the apps were responsible for around 2.3 billion bid requests a day. That's where the site effectively says "I have a user visiting this page: who will pay me the most to show their ad to them?"

While Human Security obviously has an interest in talking up how sophisticated the operation was (and by implication how smart they were to uncover it), the scammers do appear to have put a lot of thought into the operation.

Ad Campaign

For example, the rogue apps included code that checked whether the installation came after a user browsed the Google Play store of if they'd reached the app listing page by clicking on an online ad placed by the scammers. If the user had simply browsed the Play Store, the app simply worked as advertised and didn't do anything else.

It's not entirely clear why the scammers used that set-up. One possibility is that it was a temporary measure to help track how effective the online ads were. Another is that it was a way to delay detection by security researchers who would most likely go to the Play Store to download apps for testing.

If the app install did stem from the online ad, the app then downloaded found image files. These appeared to be harmless but each housed some additional code that had nothing to do with the image. The app would then combine the code to create the malware instructions, an approach making it less likely the app would be flagged during any verification process.

Malware Hunts Malware Hunters

The app also included instructions to check whether it was being analyzed with debugging tools, a common way to spot malicious activity. It also had instructions to only continue with the bogus ad clicks if the device met specified conditions. That's likely a way to make the ad click appear to be from a legitimate user.

Most of the apps offered computer utilities or were based around AI features, often using the names of legitimate tools. Google has now removed all of the identified apps from the Play Store.

One piece of good news is that this situation is covered by recent changes to Google's policy. In the past, it was down to users to find out about rogue apps already on their phone. However, users who have the Play Protect feature (which should be enabled by default) will now get an on-screen warning if any of the 224 apps are installed, along with a prompt to uninstall them. (Source: forbes.com)

What's Your Opinion?

Are you surprised at the sophistication of the scammers? Do you care if online advertisers get scammed? Have you had any warnings from Google's Play Protect feature?