Google Play Store

Google security staffers have removed 22 Android apps reported to have been infected with the HiddnAd and Guerilla adware families.

Both adware infections came to light after Sophos researchers spotted them last week, and at the end of January, respectively.

There is no connection between the two Android adware strains, and each operated after a different scheme.

Guerilla adware

The first adware strain that came to light was Guerilla, which Sophos researcher Chen Yu found in 15 apps uploaded on the Play Store, most of which were clones of more successful titles.

All apps were fully functional and delivered on the functionality they advertised, but they also came with the Guerilla malware hidden in their code.

We call Guerilla malware because Yu says the adware's malicious code worked as a fully fledged backdoor, allowing miscreants to download and run any additional component.

Crooks could have downloaded anything they wanted, but they instead chose to retrieve plugins that performed an "aggressive ad-clicking function" that generated a profit for its creators.

"This is done covertly, so the app user might not even notice this behavior," Yu writes in a whitepaper released last month. "The ad-clicker is a resource hog and a problem, but the real danger of Guerilla is its ability to remotely deliver any payload module through its backdoor architecture."

"Users of the apps bundled with an ad platform like Guerilla can be held hostage by the those who control the C&C infrastructure," Yu says, hinting at a possible scenario where Guerilla infected phones could have been used to hold devices for ransom.

Below is a list of apps that Yu reported to Google Play Store staffers. Users should make sure they're not still using any of them.

Apps infected with Guerilla adware

HiddnAd adware

But Yu also stumbled across a second adware strain last week. The researcher also discovered HiddnAd, an adware family hidden in seven apps (six QR code readers and a smart compass app), also available on the Play Store.

HiddnAd wasn't as sophisticated as Guerilla, and instead of opening a backdoor on devices to download any component it wanted, crooks hid the adware's malicious code inside an innocent-looking "graphics" subcomponent.

Apps infected with HiddnAd passed Google safety checks because they delayed the execution of any malicious code for six hours, bypassing many of Google's behavioral security scans.

Unfortunately, Sophos has not released a full list of apps that contained the HiddnAd adware (only the four from the image below) but did say they had been removed from the Play Store in the meantime. Experts said the most successful of these apps attracted more than 500,000 downloads.

Apps infected with HiddenAd adware

Related Articles:

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Google’s Android Apps Are No Longer Free for European Smartphone Makers

Google Accidentally Pushed Internal November 2018 Security Update to Pixel User

Trojanized App In Google Play Steals Bank Customers' Euros

Study of 17,260 Android Apps Doesn't Find Evidence of Secret Spying