Facebook Ads Promoted Apps With HiddenAds Malware, Affects Over 1 Million Users

Android malware

Researchers from McAfee’s Mobile Research Team have discovered a new malware called HiddenAds in the Google Play Store that disguises itself as a system cleaner to remove unwanted files on devices or one that can help optimize battery life for device management.

The infected apps aggressively hide and promote themselves on Facebook and deliver continuous advertisements to victims in various ways. When this malware is installed on the victim’s device, they automatically run malicious services upon installation, even without requiring any user interaction to open the apps.

In order to promote these apps to new users, the malware authors have created advertising pages on Facebook because it is the link to Google Play that is distributed through legitimate social media, leaving the users little doubt.

The adware apps misuse the Android Contact Provider component, which enables the transfer of data between the device and online services. For this, Google provides the ContactsContract class, which is the contract between the Contacts Provider and applications.

“In ContactsContract, there is a class called Directory. A Directory represents a contact corpus and is implemented as a Content Provider with its unique authority. So developers can use it if they want to implement a custom map. The contact provider can recognize that the app is using a custom folder by checking special metadata in the manifest file,” McAfee wrote in a blog post.

“Most importantly, the Contact Provider automatically requests newly installed or replaced packages. For example, installing a package with special metadata will always automatically contact the Contact Provider.”

The first activity of this malware is to create a permanent ad display service. If the service process is “killed” (terminated), it regenerates immediately.

Malicious service process

Then they change their icons and names using the tag to hide.

icons changed

According to McAfee, users have already installed these apps from 100K to 1M+. Below is the list of unusually high download numbers for such applications:

  1. clutter cleanercn.junk.clean.plp, more than 1 million downloads
  2. EasyCleanercom.easy.clean.ipz, 100K+ downloads
  3. power doctor,power.doctor.mnb, 500K+ downloads
  4. super cleancom.super.clean.zaz, 500K+ downloads
  5. Completely clean-Clean Cache, org.stemp.fll.clean, 1M+ downloads
  6. Fingertip Cleanercom.fingertip.clean.cvb, 500K+ downloads
  7. Fast cleanerorg.qck.cle.oyo, more than 1 million downloads
  8. Keep cleanorg.clean.sys.lunch, more than 1 million downloads
  9. Windy Cleanin.phone.clean.www, 500K+ downloads
  10. Carpet Cleanog.crp.cln.zda, 100K+ downloads
  11. Cool cleansyn.clean.cool.zbc, 500K+ downloads
  12. Strong cleanin.memory.sys.clean, 500K+ downloads
  13. Meteor cleanorg.ssl.wind.clean, 100K+ downloads

Most affected users belong to countries such as South Korea, Japan and Brazil. McAfee has already disclosed this threat to Google and all reported applications have been removed from the Play Store by the search giant.

If you have installed any of the aforementioned apps on your Android smartphone, it is recommended that you manually uninstall it from the device.

Leave a Comment