Security researchers discovered that a new Android malware strain has plagued the Google Play Store. According to the released information more than 500K downloads of the virus have been initiated. The target applications that sever as the payload delivery mechanism are QR readers.
Android Malware Identified in QR Readers
Computer security researchers revealed another dangerous infection. According to a released report a multitude of malware Android QR apps have been infected with a new threat. The data shows that the infected apps have been downloaded more than 500K times. This is seen as a critical vulnerability in the Android platform due to the fact that the malware was able to bypass the Google Play Protect measures.
The criminals used a social engineering tactic of infecting legitimate apps or creating fakes ones with the virus code. A partial list of the affected apps includes the following entries:
- QR Code/ Barcode
- Smart compass
- QR Code Free Scan
- QR & Barcode Scanner
As well as QR readers the malware code has also been identified in a smart compass app. The assigned name to the malware is Andr/HiddnAd-AJ. The experts identified several different versions which have been bundled into the various apps.
Malicious Android Apps Under Analysis
The analysis reveals that the malware Android apps containing begin the virus execution using a stealth protection mechanism. This is done by delaying the startup for several hours thus evading some of the common virus signature and behavior from being detected by the system or any installed security apps. Once the time limit has ended the actual malware infection begins. It appears that the main goal of the threat is to produce a series of annoying spam messages. This functions in a way similar to traditional browser hijackers where the operators modify the installed software in order to redirect the users to a hacker-controlled page.
The malicious Android apps can lead to various threats include the sending of push notifications with the same message. This tactic is done in order to manipulate the users into interacting with the dangerous element. The analysis also reveals that every time the malware Android apps are started a network connection with the hacker-controlled servers. An elaborate configuration file is generated for each infected machine and sent to the relevant local instance. The contained data is a list of the following values:
- The Google Ad Unit ID for the specific machine.
- A list of predefined links that form the pushed advertisement.
- The list of icons, messages and hyperlinks for the displayed ad campaigns.
- The predefined delay before the next network connection is established.
The predefined delay before the next network connection is established. The consequences of a successful infection is the flooding of full screen advertisements, web pages and push notification messages.
The presence of such threats is particularly alarming as it can be abused to cause other types of device infections. This can range from actions like additional payload delivery to system modifications. Updated versions can include a Trojan module that can be used to spy on the victims in real time as well as overtake control of their devices at any given time.
The security experts have notified Google and all identified apps have been promptly removed from Play Store. Such incidents happen on a rare occasion and present an example where the security mechanisms built into the platform have been unable to identify virus files. Still the researchers continue to advise Android users to trust the platform as it can dynamically handle such situations.