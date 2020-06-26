Another new case of malware in Google Play Store.

An investigation carried out by the specialized cybersecurity company Avast has discovered a new ad fraud attack – yet another – hidden in nearly 50 games distributed through the Google Play Store. The games had managed to amass a number of downloads that far exceeded 15 million in total, given that some of them accumulated more than 1 million installations through the store.

The attack appeared to be primarily aimed at infecting the devices of users residing in countries in Asia and Latin America, and those most affected were Brazil, India, Turkey, Argentina and Mexico. However, the presence on Google Play meant that the games ended up being installed on thousands of devices spread around the world.

Today, Google has already removed all infected games upon Avast’s notice. However, some of the affected users may still have malware installed on their devices.

HiddenAds, a Trojan hidden in 47 different games

Through the research carried out by Avast, it was discovered that the 47 games that were part of this attack contained code that violated Google Play’s advertising and spam policies. The vast majority had been published under different developer profiles so as not to raise suspicions, and had been present in the Google Play Store since the beginning of May.

According to the researchers, to carry out this attack campaign, the games would have been published on Google Play hiding its true purpose, or by introducing the malicious code through incremental updates that would arrive once users had already installed the games on their devices. From that moment on, they began to show intrusive ads difficult to remove, in addition to proceeding to hide the application icon and make it difficult to uninstall it. In the table below these lines, it is possible to see some of the games infected with malicious code, which were removed from Google Play after the warning by the researchers:

App namedownloadsDraw Color by Number1,000,000Skate Board – New1,000,000Find Hidden Differences1,000,000Shoot Master1,000,000Spot Hidden Differences500,000Dancing Run – Color Ball Run500,000Find 5 Differences500,000Joy Woodworker500,000Throw Master500,000Throw into Space500,000Divide it – Cut & Slice Game500,000Tony Shoot – NEW500,000Assassin Legend500,000Stacking Guys500,000Save Your Boy500,000Assassin Hunter 2020500,000Stealing Run500,000Fly Skater 2020500,000Disc Go！ 500,000

By studying how malware works, it was discovered how some of the apps did serve their purpose, giving users the possibility of play the first levels. For this, once the app was installed, a ten-minute counter was started that allowed the user play during that time before carrying out their malicious tasks. In case of keeping the mobile unlocked, the counter would reset to allow the user to continue playing and not raise suspicions.

Once the necessary circumstances were in place to allow the game to carry out its true mission, in the first place the main activity of the game was deactivated, removing the app drawer icon in passing. From that moment on, display intrusive full-screen ads as well as banners and notifications.

After a first notice, Google was able to remove 30 of the malicious applications from Google Play Store. Later, the rest of the apps involved in this campaign were removed. From Avast, they offer us a sheet with all the games infected by this Trojan.

