Malware on the Google Play store leads to harmful phishing sites

A family of malicious apps from developer Mobile apps Group are listed on Google Play and infected with Android/Trojan.HiddenAds.BTGTHB. In total, four apps are listed, and together they have amassed at least one million downloads.

Older versions of these apps have been detected in the past as different variants of Android/Trojan.HiddenAds. Yet, the developer is still on Google Play dispensing its latest HiddenAds malware.

This follows on the heels of adware that was found on Google Play just a couple months ago from a rogue PDF reader.

Play1Play2Play3Play4Play5Play6

Delayed ungratification

Our analysis of this malware starts with us finding an app named Bluetooth Auto Connect (full app information at the bottom of this article). When users first install this malicious app, it takes a couple of days before it begins to display malicious behavior.  Delaying malicious behavior is a common tactic to evade detection by malware developers.  It turns out that this app uses delays quite a bit, as you’ll discover in our analysis.

After the initial delay, the malicious app opens phishing sites in Chrome. The content of the phishing sites varies—some are harmless sites used simply to produce pay-per-click, and others are more dangerous phishing sites that attempt to trick unsuspecting users.  For example, one site includes adult content that leads to phishing pages that tell the user they’ve been infected, or need to perform an update.

The Chrome tabs are opened in the background even while the mobile device is locked.  When the user unlocks their device, Chrome opens with the latest site.  A new tab opens with a new site frequently, and as a result, unlocking your phone after several hours means closing multiple tabs.  The users browser history will also be a long list of nasty phishing sites.

phish_site2phish_site3phish_site4phish_site5

Deeper analysis using LogCat

As per my last blog post, I once again used an Android OS test phone and plugged it into my laptop running LogCat via good old Android Device Monitor. To clarify, LogCat is used to observe all logs created by installed apps and the Android OS, including the logs of this malware.  The first log entry from this malware came several hours after the initial installation.

10-20 05:11:07.504: D/sdfsdf(11987): {"adDelay":7200000,"flurryId":"YQBTHDXPVMFT3D7Z7Q92","chromeLink":"https://<phishing_URL>.com/?ts=1666264263370&id=344","showOuterAd":true,"firstAdDelay":259200000,"versionWithNoAd":"no"}

The first important datapoint of the log entry is what LogCat calls the Tag.  This usually is a descriptor of the log text like ActivityManager. In this case, they use an obfuscated tag of sdfsdf — another sign of willful deception. Diving into the Text segment of the log, where the important data is stored, there are couple of key datapoints: adDelay, chromeLink, and firstAdDelay.

First, the chromeLink is the URL of the phishing site to open in Chrome. Next, let’s look at the firstAdDelay datapoint with the value of 259200000. This value is the length of delay to displaying the first ad in milliseconds—seventy-two hours. Add the several hours to this delay before the log entry is created, and you have roughly four days from the time the malicious app is installed to when it displays the first ad in Chrome. 

Keep in mind that the delay length of each malware app varies.  Additionally, after the first ad is displayed, it then has an adDelay of 7200000, or two hours.  It’s unclear if that means to wait an additional two hours after the first ad delay, or display another ad two hours after the first ad.  Regardless, it is another example of using delays to obfuscate detection.  These type of log entries are recorded every fifteen minutes, constantly setting new time released ads.

After the delay time ends, the ad is then triggered to display.  At this instant, it creates additional log entries using tag ActivityManager.

10-24 08:26:30.476: I/ActivityManager(765): START u0 {act=android.intent.action.VIEW dat=https:// <phishing_URL>.com/... flg=0x14002000 pkg=com.android.chrome cmp=com.android.chrome/org.chromium.chrome.browser.ChromeTabbedActivity (has extras)} from uid 10062
10-24 08:26:31.026: W/ActivityManager(765): Activity pause timeout for ActivityRecord{736d893 u0 com.android.chrome/org.chromium.chrome.browser.ChromeTabbedActivity t11780}

These log entries are representative of when Chrome opens a new tab with a phishing site using activity ChromeTabbedActivity. After that point, unlocking the mobile device will reveal the ad.

Tracing it back to code

Now that we have LogCat entries, the next step in our analysis is to trace back to where in the code this malicious behavior is happening.  To do that, we first need to look in the app’s Manifest file.

The Manifest file is basically a guide for the Android OS to use to run activities, services, and receivers of an app.  Each activity, service, and receiver contains code to be ran. Every Android app has a Manifest file.

Many times, the activities, services, and receivers used by a particular malware is unique.  However, at first glance at this malware it is hard to tell which activities, services, or receivers are running the malicious code.  This is where the LogCat entries can assist.  These logs are the smoking gun of exactly what activities, services, or receivers are triggering malicious behavior. Ironically, their attempt to obfuscate detection using a LogCat tag of sdfsdf made tracking the culprit easy. A quick search of sdfsdf in the code reveals it traces back to service name com.github.libpackage.service.PushService, and activity name com.github.libpackage.view.NotificationActivity. The use of the popular GitHub in the naming convention is yet another blatant attempt to obfuscate detection.  From there, we were able to further verify using the additional datapoints from the LogCat text.

History of HiddenAds

Continuing to focus on Bluetooth Auto Connect, this app has had a long history of being infected with different variants of HiddenAds.  Note that other apps from Mobile apps Group have a similar history. 

  • Date of release 2020-12-??: Bluetooth Auto Connect v1.4 infected wtih Android/Trojan.HiddenAds.llib
  • Date of release 2021-01-05: Bluetooth Auto Connect v1.8 infected wtih Android/Trojan.HiddenAds.llib
  • Date of release 2021-01-11: Bluetooth Auto Connect v1.9 infected wtih Android/Trojan.HiddenAds.llib
  • Date of release 2021-01-19: Bluetooth Auto Connect v2.2 infected wtih Android/Trojan.HiddenAds.llib
  • Date of release 2021-01-22: Bluetooth Auto Connect v2.3 clean
  • Date of release 2021-02-09: Bluetooth Auto Connect v2.6 infected wtih Android/Trojan.HiddenAds.ATASHT
  • Date of release 2021-02-10: Bluetooth Auto Connect v2.7 infected wtih Android/Trojan.HiddenAds.ATASHT
  • Date of release 2021-02-12: Bluetooth Auto Connect v2.9 infected wtih Android/Trojan.HiddenAds.ATASHT
  • Date of release 2021-02-26: Bluetooth Auto Connect v3.0 clean
  • Date of release 2021-03-04: Bluetooth Auto Connect v3.1 clean
  • Date of release 2021-04-26: Bluetooth Auto Connect v3.8 clean
  • Date of release 2021-06-11: Bluetooth Auto Connect v4.0 clean
  • Date of release 2021-07-22: Bluetooth Auto Connect v4.1 clean
  • Date of release 2021-10-21: Bluetooth Auto Connect v4.5 clean
  • Date of release 2021-12-15: Bluetooth Auto Connect v4.6 infected wtih Android/Trojan.HiddenAds.BTGTHB
  • Date of release 2021-10-21: Bluetooth Auto Connect v4.8 infected wtih Android/Trojan.HiddenAds.BTGTHB
  • Date of release 2022-08-02: Bluetooth Auto Connect v5.4 infected wtih Android/Trojan.HiddenAds.BTGTHB
  • Date of release 2022-08-17: Bluetooth Auto Connect v5.5 infected wtih Android/Trojan.HiddenAds.BTGTHB
  • Date of release 2022-10-12: Bluetooth Auto Connect v5.7 infected wtih Android/Trojan.HiddenAds.BTGTHB (current version on Google Play)

It is disappointing that Mobile apps Group has persisted on the Google Play store after having malicious apps in the past — twice!  It’s unclear if previous malicious versions from before January 19, 2022—versions 2.2 and before—were ever caught by Google Play.  Since version 2.3 was clean, it seems likely that the developers were caught and uploaded a clean version.

What we do know is that DrWeb blogged about Bluetooth Auto Connect v2.5 having what it calls Adware.NewDich back in February 24, 2021.  We can only assume Google Play took action at that point by removing the most current malicious version at the time of the writing—version 2.9.  However, on February 26, just two days after the DrWeb blog, the developers released the clean version 3.0 onto Google Play. That meant Mobile apps Group remained on Google Play without even a probation period.

As a result of having two strikes from Google Play, the developers cleaned up their act from version 3.0 to 4.5, or Febraury 26 to October 10, 2021.  Then, on December 15, 2021, the developers released the code for the most current HiddenAds variant in version 4.6.  Now on version 5.7, that malicious code remains to this date.  A run of over ten months with malicious code on Google Play.  Perhaps its time to say three strikes and you’re out to Mobile apps Group.

More than just adware

With all the evidence of malicious behaviors, one can only assume this is more than just adware that’s surpassing Google Play Protect detection. With a heavy dose of obfuscation and harmful phishing sites, this is clearly the malware we know as Trojan HiddenAds. Thanks to our Malwarebytes support team and our customers, we were able to track down this nasty malware.  As always, you can remediate using our free scanner, Malwarebytes Mobile Security.

App information

Package name: com.bluetooth.autoconnect.anybtdevices

App name: Bluetooth Auto Connect

Developer: Mobile apps Group

MD5: C28A12CE5366960B34595DCE8BFB4D15

Google Play URL: https://play.google.com/store/apps/details?id=com.bluetooth.autoconnect.anybtdevices

Package name: com.driver.finder.bluetooth.wifi.usb

App Name: Driver: Bluetooth, Wi-Fi, USB

Developer: Mobile apps Group

MD5: 9BC55834B713B506E92B3787BE83F079

Google Play URL: https://play.google.com/store/apps/details?id=com.driver.finder.bluetooth.wifi.usb

 

Package name: com.bluetooth.share.app

App Name: Bluetooth App Sender

Developer: Mobile apps Group

MD5: F764F5A04859EC544685E30DE4BD3240

Google Play URL: https://play.google.com/store/apps/details?id=com.bluetooth.share.app

  

Package name: com.mobile.faster.transfer.smart.switch

App Name: Mobile transfer: smart switch

Developer: Mobile apps Group

MD5: AEA33292113A22F46579F5E953596491

Google Play URL: https://play.google.com/store/apps/details?id=com.mobile.faster.transfer.smart.switch


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

https://blog.malwarebytes.com/feed/