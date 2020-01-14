The developers used a number of tricks to fill Google Play with more than a dozen apps that bombard users with advertisements, even when the apps were not used, the researchers said on Tuesday.

One of the tactics used to reduce the likelihood of being intercepted by Google or disgruntled users: the apps wait 48 hours before hiding their presence on devices, interrupting the display of ads for four to four hours, and displaying the ads at random intervals view and split the code into several files, researchers reported with anti-virus provider Bitdefender. The apps also include work code that does the job promised in the Google Play descriptions and gives them the appearance of legitimacy. Bitdefender found a total of 17 such apps with a total of 550,000 installations.

One of the apps analyzed by Bitdefender was a racing simulator, which also charged in-app fees for additional functions. While it worked as advertised, it also aggressively displayed advertisements that depleted the batteries and sometimes prevented players from playing. After a waiting period of four hours, ads with a random number (less than three) that have been compared with a value are generated. If the random number matches the value, an ad will appear.

The result: When a user unlocks an infected phone, an ad is likely to appear one in three. The ad mechanisms are also spread over several activities and use modified adware developer kits. The randomness of the ad occurrence and the display time intervals also make it difficult to identify patterns from which the source can possibly be identified. The app uses other tricks to make the ads unpredictable.

“Users see multiple ads either in-game when they press different buttons, or when they’re not in the app,” the Tuesday report said. “The frequency with which ads appear in-game depends on a random value. In half the cases there is a chance that an ad will appear when using some game features.”

The app also divides its content into two resource files. The code for the ad serving is in the first, the code for the working game in the second. Bitdefender researchers wrote:

For registered recipients, the first is for android.intent.action.BOOT_COMPLETED. When the show is received, the app begins an activity that launches a job planner to display ads. The scheduled service starts after 10 minutes and shows an ad only once. The scheduler recreates itself by calling the method from the activity that originally created it, and then starts again after 10 minutes.

Another recipient that the app registers is for android.intent.action.USER_PRESENT. Whenever the user unlocks the device, if at least 4 hours have passed since installing the app, there is a possibility that an ad will appear. This is because the ad ads are programmed by generating a random number less than 3 that is compared to a value. If the generated number matches the check number, an ad will appear. Therefore, ads are three times more likely to be unlocked by the user.

In total, Bitdefender found 17 apps that use the same tactic. They have been downloaded 550,000 times. At the time of writing, Google was removing the apps from Play. Google employees didn’t immediately respond to an email looking for a comment for this post. The apps are:

Auto racing 2019

4K Wallpaper (Background 4K Full HD)

Backgrounds 4K HD

QR Code Reader and Barcode Scanner Pro

File manager Pro – Manager SD card / Explorer

VMOWO City: Speed ​​Racing 3D

barcode scanner

Screen stream mirroring

QR Code – scan and read a barcode

Period tracker – cycle ovulation women

QR & Barcode Scan Reader

Backgrounds 4K, Backgrounds HD

Smart data transfer

Explorer file manager

Weather radar today

Mobnet.io: Big Fish Frenzy

Clock LED

The following image, courtesy of Bitdefender, contains additional details:

Technically speaking, the apps are not classified as malware because they limit their hidden functions to displaying ads. Given the battery drain this causes and the potential for developers to add new, more nefarious behaviors to updates, these apps should be uninstalled as soon as possible.