Seventy-five apps available for download from the official Google Play Store had to remove a malicious advertising library that was secretly an adware called AdDown, which Trend Micro researchers have been tracking for the last two years.

This adware appeared in January 2015 and besides showing ads to infected users, it also came with the ability to collect personal data on its victims, and at one point could even secretly install apps without the user's knowledge.

Over time, Trend Micro says it detected the adware in over 800 apps that were uploaded on the Play Store, usually as small utility apps, such as wallpaper changers, photo editors, and flashlight apps.

AdDown adware timeline

After an in-depth analysis of apps infected with the AdDown family during the past two years, researchers were able to identify three main stages in its evolution, named: Joymobile, Nativemob, and Xavier.

AdDown timeline

The first stage of evolution featured the simplest version of the adware, but was also the one with the most intrusive features, coming equipped with a method of installing apps behind the user's back.

The second stage removed this installation method, leaving only one that required the user's approval, but improved other features, such as comms encryption, internal string obfuscation, and user filtering for better ad delivery.

The third and last stage of AdDown was first detected starting with September 2016, and while it generally improved the second stage's features, it also added support for detecting and evading sandbox environments.

That version also removed the ability to install third-party apps, most likely as the adware's author realized he'd have a better chance of remaining undetected if he showed ads here and there, and not force apps down users' throats.

AdDown was distributed via an advertising SDK

Experts say that during the past two years, millions of users appear to have downloaded and installed apps infected with one of these three AdDown adware versions. Trend Micro researcher Ecular Xu said AdDown was distributed to various app developers as an advertising SDK, which explains why it was found in so many apps. Xu published a list of apps previously infected, but which have now removed AdDown from their code:

PackageName Download Count Remove Xavier Date
com.ijksoftware.pdfcreator.camscanner 10000-50000 2017/5/13
com.writeonpicture.textphoto 100000-500000 2017/5/13
com.inateam.cooler.master 500000-1000000 2017/5/13
com.equalizer.volumebooster 1000000-5000000 2017/5/13
com.styletext.font.textonphotos 100000-500000 2017/5/14
com.easytool.screenoff 100000-500000 2017/5/13
com.inateam.pdfreader 100000-500000 2017/5/13
com.placideagles.volumebooster 500000-1000000 2017/5/13
com.allinOne.openquickly 1000000-5000000 2017/5/13
com.inateam.ziprar 100000-500000 2017/5/13
com.coramobile.speedbooster.cleaner 1000000-5000000 2017/5/13
com.coramobile.security.antivirus 1000000-5000000 2017/5/12
com.cleaner.memorybooster.ramoptimizer 1000000-5000000 2017/5/13
com.coramobile.powerbattery.batterysaver 100000-500000 2017/5/12
com.pdfviewer.pdfreader.edit 500000-1000000 2017/5/13
com.cutterringtone.mp3cutter 100000-500000 2017/5/14
com.coramobile.phonecooler.cpucoolermaster 1000000-5000000 2017/5/12
com.autolockscreen.taptaplock 50000-100000 2017/5/13
com.easycapture.screenshot 50000-100000 2017/5/14
com.unziptool.rarextractor 50000-100000 2016/11/18
com.convertmp3.videoconverter 50000-100000 2017/5/13
com.lollicontact.caller 50000-100000 2017/5/13
com.fattys.automaticcallrecording 100000-500000 2017/5/13
com.ponosnocelleh.lolipoptheme 50000-100000 2017/5/13
com.ponosnocelleh.threedtheme 100000-500000 2017/5/13
com.mothrrmobile.volume 100000-500000 2017/5/13
com.greenapp.voicerecorder 10000-50000 2017/5/13
com.sunny.text2photo 100000-500000 2017/5/13
com.fingerprint.lockscreen.prank 100000-500000 2017/5/13
com.keeprr.cutpastephoto 100000-500000 2017/5/13
com.billowy.equalizer.bassbooster 100000-500000 2017/5/13
com.fattysgui.beautyfont 100000-500000 2017/5/13
com.aecenraw.emojionphoto 50000-100000 2017/5/13
com.appworksui.myfonts 100000-500000 2017/5/13
com.forecast.weatherlive.weather 10000-50000 2017/5/13
com.finder.photo.imagessearch 10000-50000 2017/5/13
com.galaxygame.fighterwar 100000-500000 2017/5/13
com.djayfree.mp3djmix 100000-500000 2017/5/13
com.qrscan.qrreader.qrcode 10000-50000 2017/5/13
com.yamagame.stormfighter 100000-500000 2017/5/13
com.minfiapps.screenshost_capture 100000-500000 2017/5/13
com.photogrid.frame.photocollage 10000-50000 2017/5/13
com.greenapp.slowmotion 100000-500000 2017/5/13
net.camspecial.clonecamera 500000-1000000 2017/5/13
com.rartool.superextract 100000-500000 2017/5/13
com.fattystudioringtone.mp3cutter 50000-100000 2017/5/13
com.aepictur.textphoto 100000-500000 2017/5/13
com.live3d.wallpaperlite 100000-500000 2017/5/13
com.xatedses.changehaircoloreye 100000-500000 2017/5/13
com.podhengy.haircolor 100000-500000 2017/5/13
com.mobilescreen.capture 100000-500000 2017/5/13
com.keeprr.textonphoto 100000-500000 2017/5/13
com.mobiletool.rootchecker 100000-500000 2017/5/13
com.galaxy.strikeforce 1000000-5000000 2017/5/13
com.podhengy.photoapp 50000-100000 2017/5/13
com.albumpro.videoslide.galleryphoto 50000-100000 2017/5/13
com.gpsonline.phonetracker 500000-1000000 2017/5/13
com.maxmitek.livewallpaperaquariumfishfish 50000-100000 2017/5/13
com.maxmitek.beachwallpaper 50000-100000 2017/5/13
com.xatedsesmobile.picturesketch 100000-500000 2017/5/13
com.efflicnetwork.ringtonecutter 50000-100000 2017/5/13
com.gigmobile.booster 100000-500000 2017/5/13
com.ponosnocelleh.launchers7 100000-500000 2017/5/13
com.magicvideo.editor.reversevideo 50000-100000 2017/5/12
com.azurersweet.djvirtual 500000-1000000 2017/5/12
com.sevideo.slideshow.videoeditor 1000000-5000000 2017/5/12
com.fourapps.musicplayer.videoplayer 100000-500000 2017/5/12
com.slowmotion.videoslow 500000-1000000 2017/5/12
com.fourvideo.videoshow.videoslide 1000000-5000000 2017/5/12
com.azurersweet.app2sdandremover 100000-500000 2017/5/12
com.azurer.vpnproxy.supervpn 500000-1000000 2017/5/12
com.azurersweet.launcher 50000-100000 2017/5/12
com.appgpfaq.prankcrackscreen 500000-1000000 2017/5/12
com.photoshow.videoeditor.slide 100000-500000 2017/5/12
com.azurersweet.beautymakeup 100000-500000 2017/5/12

Image credits: Trend Micro