apps followed the classic tactic<\/a> of luring users in by pretending to perform some specialized function, then changing their name and icon after installation, making them harder to find and remove later. As a rule, the malware changes the icon to a gear and renames itself into Settings, but sometimes it looks like Motorola<\/b>, Oppo<\/b> and Samsung<\/b> system applications.<\/p>\nAfter infiltrating the victim’s device, applications begin to display intrusive ads, abusing the WebView<\/b>, and thereby generating ad revenue for their operators. Also, since these apps use their own ad loading framework, it is likely that additional malicious payloads could be delivered to the compromised device.<\/p>\n
The detected malware uses several methods of disguise, including trying to receive updates as late as possible in order to more reliably disguise itself on the device. In addition, if the victim does find suspicious Settings and opens them, a malicious application with a size of 0 is launched to hide from human eyes. The malware then opens the actual settings menu to make the user think they are running a real app.<\/p>\n
![\"Google](\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/08\/malware-class.jpg\" "\\"\\"")
<\/p>\n
Analysts also note that the malware uses complex obfuscation and encryption to make reverse engineering difficult and hide the main payload in two encrypted DEX files.<\/p>\n
The list of the most popular malicious applications (over 100,000 downloads) can be seen below. At the same time, it must be said that most of them have already been removed from the official Google store, but are still available in third-party app stores, including APKSOS<\/b>, APKAIO<\/b>, APKCombo<\/b>, APKPure<\/b> and APKsfull<\/b>.<\/p>\n\n- Walls light \u2013 Wallpapers Pack (gb.packlivewalls.fournatewren);<\/li>\n
- Big Emoji \u2013 Keyboard 5.0 (gb.blindthirty.funkeyfour);<\/li>\n
- Grand Wallpapers \u2013 3D Backdrops 2.0 (gb.convenientsoftfiftyreal.threeborder);<\/li>\n
- Engine Wallpapers (gb.helectronsoftforty.comlivefour);<\/li>\n
- Stock Wallpapers (gb.fiftysubstantiated.wallsfour);<\/li>\n
- EffectMania \u2013 Photo Editor 2.0 (gb.actualfifty.sevenelegantvideo);<\/li>\n
- Art Filter \u2013 Deep Photoeffect 2.0 (gb.crediblefifty.editconvincingeight);<\/li>\n
- Fast Emoji Keyboard APK (de.eightylamocenko.editioneights);<\/li>\n
- Create Sticker for Whatsapp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix);<\/li>\n
- Math Solver \u2013 Camera Helper 2.0 (gb.labcamerathirty.mathcamera);<\/li>\n
- Photopix Effects \u2013 Art Filter 2.0 (gb.mega.sixtyeffectcameravideo);<\/li>\n
- Led Theme \u2013 Colorful Keyboard 2.0 (gb.theme.twentythreetheme);<\/li>\n
- Animated Sticker Master 1.0 (am.asm.master);<\/li>\n
- Sleep Sounds 1.0 (com.voice.sleep.sounds);<\/li>\n
- Personality Charging Show 1.0 (com.charging.show);<\/li>\n
- Image Warp Camera;<\/li>\n
- GPS Location Finder (smart.ggps.lockakt).<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
Bitdefender experts found 35 malware in the Google Play Store that distributed unwanted ads, and which users in total downloaded more than 2,000,000 times. Let me remind you that we wrote that About 8% of apps in the Google Play Store are vulnerable to a bug in the Play Core library, and also that Mandrake […]<\/p>\n","protected":false},"author":3,"featured_media":10117,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[203,58,28],"class_list":{"0":"post-10113","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-bitdefender","9":"tag-google","10":"tag-malware"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2022\/08\/Google-Play-Malware.jpg","author_info":{"display_name":"Vladimir Krasnogolovy","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/krasnogolovy\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/10113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=10113"}],"version-history":[{"count":2,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/10113\/revisions"}],"predecessor-version":[{"id":10116,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/10113\/revisions\/10116"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/10117"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=10113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=10113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=10113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}