Android malware found hidden inside QR code apps

A new malware family recently infiltrated Google Play by presenting itself as a bunch of handy utilities.

This malware is now detected as Andr/HiddnAd-AJ, and the name gives you an inkling of what the rogue apps do: blast you with ads, but only after lying low for a while to lull you into a fals sense of security.

The offending apps have now been pulled from the Play Store, but not before some of them attracted more than 500,000 downloads.

The subterfuge used by the developers to keep the Google Play Protect app-vetting process sweet seems surprisingly simple.

First, the apps were, at least on the surface, what they claimed: six were QR code reading apps; and one was a so-called smart compass.

In other words, if you were just trying out apps for fun, or for a one-off purpose, you would be inclined to judge them by their own descriptions.

Second, the crooks did not fire up the adware part of their apps right away, lurking innocently for a few hours before unleashing a barrage of ads.

Third, the adware part of each app was embedded in what looks at first sight like a standard Android programming library that was itself embedded in the app.

By adding an innocent-looking graphics subcomponent to a collection of programming routines that you Would expect to find in a regular Android program, the adware engine inside the app is effectively hiding in plain sight.

For all its apparent innocence, however, this malware not only pops up advertising web pages, but can also send Android notifications, including clickable links, to lure you into generating ad revenue for the criminals.

When you run one of the these infected apps for the first time, it calls home for configuration information to a server controlled by the crooks.

Each configuration download gives the malware:

A Google Ad Unit ID to use. A list of URLs to open in your browser to push ads on you. A list of messages, icons and links to use in the notifications you will see. The time to wait before calling home for the next configuration update.

This makes it easy for the crooks to adapt the behaviour of the malware remotely, changing both its ad campaigns and its aggressiveness easily, without needing to update the malware code itself.

When samples were initially tested, the first configuration settings pushed out by the crooks were very low-key.

For the first six hours, the list of ads was empty, meaning that the behaviour of the apps was unexceptionable to start with…… before flooding the device with full screen ads, opening various ad-related webpages, and sending notifications with ad-related links in them, even when the apps own windows were closed.

Despite Googles failure to spot the roguery of these particular utilities before blessing them into the Play Store, it is nevertheless recommended to stick to the Google Play Store for all your downloads.

Googles app vetting process is far from perfect, but the company does at least carry out some pre-acceptance checks.

Many off-market Android app repositories have no checks at all – they are open to anyone, which can be handy if you are looking for unusual or highly specialised apps that would not make it onto Google Play (or trying to publish unconventional content).

But unregulated app repositories are also risky, for all the same reasons.