Know your enemy: Advertising ghost trojans on Android
Tuesday, June 1, 2021
Many of you have probably heard the phrase "advertising is the engine of trade". It’s impossible to disagree with it. Indeed, ads help manufacturers and service suppliers find their customers and expand their target markets. But are all ads useful? Of course not. For example, if an ad is too aggressive, it distracts from important problems, sets nerves on edge or simply is false and misleading. This type of advertising, unfortunately, is very common on Android-powered devices, and malicious applications that have been specially created for this display it. That is what we’re going to discuss.
Advertising trojans from the Android.HiddenAds family are some of the most abundant Android-targeting malware programs. We have repeatedly reported on them (for example, in our 2019 research) and they are frequently part of our monthly virus activity reviews. But since this is a very nasty and common type of malware, we want to make as many users as possible aware of it.
Attackers distribute these trojan under the guise of a variety of useful programs—mobile photo editors, camera filters, collections of stickers and images, programs for fortune-telling, games, guides, messengers, utilities, recipes collections and many others—it all depends on how rich a virus writer's imagination is. They are found both on Google Play and in third-party app catalogues. You can also run into them after downloading them from compromised or malicious sites.
Here are just a few examples of the Android.HiddenAds trojans that our virus analysts have discovered on Google Play:
Some Android.HiddenAds malicious applications are "blank"—they do not have the features stated. Others are more advanced; they can work as you’d expect to avoid arousing your suspicion too soon.
Depending on the version and modification involved, they start showing ads immediately after their launch or after some time passes so that you manage to get distracted and forget about their installation. As a rule, the ads they show are full-screen banners. They are displayed on top of other program windows and even on top of the operating system interface. They can contain both static and animated images. And sometimes—video clips with sound.
Such banners interfere with a device’s operation—they appear suddenly and block everything that is under them. At the same time, a feature of many Android.HiddenAds trojans is that they show advertisements even when the malicious application itself is closed and you are working with another software program at that moment. And what if you're driving and you check your route or how bad traffic jams are in your navigation application while your device is fixated to your car’s dashboard? The map suddenly disappears, and a bright animated advertisement for a bank, some game, or a service appears in its place. This will at the very least irritate you. And it’s good if this doesn’t end up causing you to crash. Or, let's say, you are resting after a hard day's work; you’re watching a video, when suddenly on top of it you see a window with a completely different video—an advertisement where a hypothetical employee of a trading network, accompanied by loud music, begins ranting about discounts. It's easy to get scared, and the rest of your day will be hopelessly ruined.
But that's not all. One of the distinguishing features of Android.HiddenAds trojans is that after their launch, they can, either automatically or on an attacker’s command, hide their icons so they do not appear in the list of installed programs on an Android device’s main screen menu. This is done in order to make it harder for you to detect and remove them, and that gives virus writers more time to make money off of their aggressive and annoying advertisements.
The Anti-virus Times recommends
In the case of trojans from the Android.HiddenAds family and other similar malicious applications, advertising is not the engine of trade but only causes headaches for many Android device users.
To protect your device against such threats, you need to use an anti-virus. Also, before installing an application, you should carefully examine the reviews—including fake ones placed by hackers to increase the attractiveness of such programs; and you can find a lot of honest reviews from users whose devices have already been compromised by them.
If, after you’ve downloaded an app from Google Play, it suddenly disappears (i.e., its icon disappears off the main screen) and you start to see full-screen advertising, you’ve most likely encountered an advertising trojan or another similar malicious application. You can try to find it in the system menu, in the list containing all programs, but virus writers often try to predict that you’ll do that and give their application some inconspicuous name. For example, by simulating the system software so you do not decide to remove it. In this case, you can try to find and remove the trojan via the Play Market program by opening the current user menu and selecting "My apps and games". It is easy to find recently installed suspicious programs and remove them without interfering with a device's operation.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.