Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular applications to serve unwanted ads to users as part of a campaign ongoing since October 2022.
"The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However, the threat actors involved can easily switch tactics to redirect users to other types of malware such as banking Trojans to steal credentials and financial information or ransomware."
The Romanian cybersecurity company said it has discovered 60,000 unique apps carrying the adware, with a majority of the detections located in the U.S., South Korea, Brazil, Germany, the U.K., France, Kazakhstan, Romania, and Italy.
It's worth pointing out that none of the apps are distributed through the official Google Play Store. Instead, users searching for apps like Netflix, PDF viewers, security software, and cracked versions of YouTube on a search engine are redirected to an ad page hosting the malware.
The apps, once installed, have no icons or names in a bid to evade detection. What's more, users launching an app for the first time after installation are displayed the message "Application is unavailable in your region from where the app serves. Tap OK to uninstall," while stealthily activating the malicious activity in the background.
The modus operandi is another area of note wherein the adware behavior remains dormant for the first few days, after which it's awakened when the victim unlocks the phone in order to serve a full-screen ad using Android WebView.
The findings come as cybersecurity firm CloudSEK disclosed it had identified the rogue SpinOK SDK – which was revealed by Doctor Web last month – in 193 apps on the Google Play Store that have been downloaded 30 million times.
On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini-games and tasks to win alleged rewards. But peer inside, the trojan harbors functionalities to steal files and replace clipboard contents.
In a related development, the SonicWall Capture Labs Threat research team also unearthed another strain of Android malware that impersonates legitimate apps to harvest a wide range of information from compromised handsets by abusing the operating system's accessibility services.
"These features allow the attacker to access and steal valuable information from the victim's device, which can lead to various types of fraud, including financial fraud, and identity theft," SonicWall said.