Over 60,000 Android apps disguised as legitimate apps have quietly installed adware on mobile devices while remaining undetected in the past six months.

The discovery comes from the Romanian cybersecurity company Bitdefender which detected the malicious applications using a anomaly detection function added to its Bitdefender Mobile Security software last month.

“To date, Bitdefender has discovered 60,000 completely different samples (unique applications) containing the adware and we suspect there are many more in the wild,” Romanian cybersecurity firm Bitdefender warned.

The campaign is believed to have started in October 2022 and is being distributed as fake security software, game cracks, cheats, VPN software, Netflix and utility apps on third party sites.

The malware campaign primarily targets users in the United States, followed by South Korea, Brazil, Germany, the United Kingdom, and France.

Installed stealthily to evade detection

The malicious apps aren’t hosted on Google Play but on third-party websites in Google Search that push APKs, Android packages that allow you to manually install mobile apps.

When visiting the sites, you will either be redirected to websites displaying advertisements or prompted to download the application you are looking for. Download sites are purposely created to distribute malicious Android apps in the form of APKs which, once installed, infect Android devices with adware.

When the application is installed, it does not configure itself to run automatically, as this requires additional privileges. Instead, it relies on the normal Android app installation flow, which prompts users to “open” an app after it’s installed.

Also, the apps don’t use an icon and have a UTF-8 character in the app label, which makes it harder to spot. This is a double-edged sword, as it also means that if a user does not start the app after installing it, it probably won’t launch afterwards.

If launched, the app will display an error message that “The app is not available in your region. Tap OK to uninstall”.

However, in reality the app is not uninstalled but just sleeps for two hours before saving two ‘intentions‘ which cause the application to launch when the device is started or when the device is unlocked. Bitdefender indicates that this last intention is disabled for the first two days, likely to escape detection by the user.

Once launched, the application will reach the attackers’ servers and retrieve the URLs of advertisements to be displayed in the mobile browser or as a full screen WebView advertisement.

While rogue apps are currently only used to display advertisements, researchers warn that threat actors could easily swap adware URLs for more malicious websites.

“After analysis, the campaign is designed to aggressively push adware onto Android devices for the purpose of generating revenue,” warns Bitdefender.

“However, the threat actors involved can easily switch tactics to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information or ransomware.”

Android devices are highly targeted by malware developers because they are capable of installing apps outside of the Google Play Store, where they are not better inspected for malware.

However, threat actors continue to evade detection, even on Google Play, allowing malicious apps to spread widely.

Last week, researchers from Dr. Web and CloudSEK discovered a malicious spyware SDK installed over 400 million times on Android devices from apps on Google Play.

While Google Play still has its share of rogue apps, installing your Android apps from the official Android store is much safer. It is also strongly discouraged to install Android apps from third-party sites, as they are a common vector for malware.