Google has been known to pull malicious apps from its storefront from time to time; usually in large ban waves. In many cases, these apps masquerade as something beneficial, like a photo app or a game. However, when a user installs them onto their device, they often contain less-than-savory hidden software, usually malware or adware.
The latest wave of apps banned by Google happened to contain the latter. 85 adware-infested apps have been removed from the Google Play Store — the adware in question is known as “AndroidOS_Hidenad.HRXH,” according to Trend Micro. The site says this adware is particularly frustrating to deal with because it contains “unique techniques” that help it evade detection, while also displaying unskippable, difficult-to-close (full-screen) advertisements.
In most cases, the apps in question posed as games or photography apps. Their removal was triggered after Trend Micro security researchers sent the results of their recent adware investigation to Google.
So, what are the “unique techniques” that this adware used to avoid immediate deletion? “Every time the user unlocks the device, the adware will perform several checks before it executes its routines,” Trend Micro writes. “It first compares the current time (the device’s system time) with the timestamp stored as installTime; it then compares the current network time (queried via a RESTful API) with the timestamp stored as networkInstallTime.”
Apparently, these checks allow a malicious app to determine when it’s “safe” to begin displaying ads to users. The default time gap is 30 minutes, but that number can vary. Not only does this tactic reduce the risk of manual app removal or virus scans (by the user), but it also helps them evade any “time-based detection techniques” built in to Android.
There’s some good news, though: anyone who downloaded these risky apps is probably in the clear, as long as their device was running the latest version of Android. Trend Micro says this adware only seems to affect devices that are still on Android 8.0 or older, as newer versions of Android will display a confirmation dialogue box before the apps can execute their shady tasks.
Alternatively, you could simply avoid downloading any apps that you don’t trust. The tricky part of this scenario, though, is that many of these apps had fairly good reviews on the surface. Though these reviews were almost certainly faked, that could be enough to hook a casual user. That’s why it’s always important to read the reviews themselves before purchasing a product or downloading an app.
Regardless, these adware-filled apps were downloaded over 8 million times in total, which seems to imply that many users didn’t dig too deeply into what they were grabbing.