Recent findings by cybersecurity experts from McAfee’s Mobile Research Team have brought to light a concerning trend of adware specifically aimed at Korean Android users. This adware campaign involves certain apps distributed through Google Play that discreetly load ads while the user’s device screen is turned off.
While this may initially appear as a non-intrusive method for developers to generate profits, it is important to note that such practices directly violate Google Play Developer policies, which clearly define how ads should be displayed. Consequently, this malicious ad-loading deceives advertisers who unknowingly pay for invisible ads, and negatively impacts users in numerous ways.
Upon investigation, the research team identified 43 rogue apps involved in this ad fraud, accumulating a total of 2.5 million downloads. Notably, popular categories such as TV/DMB players, music downloaders, news, and calendar apps were among those affected.
It is worth highlighting the technical sophistication of the ad fraud library used by these apps, employing delay tactics to avoid detection and inspection. Moreover, the deceptive behavior can be remotely modified and pushed using Firebase Storage or Messaging service, further complicating the identification of these rogue apps.
Once installed, the adware requests specific permissions, such as “power saving exclusion” and “draw over other apps,” enabling covert activities in the background. This creates an opportunity for additional malicious behavior, including the display of phishing pages and ads without the user’s awareness.
When the device screen is turned off, the ad fraud mechanism activates, fetching and loading ads discreetly, all while users remain unaware. The library records device information and accesses unique domains to retrieve advertisement URLs from Firebase Storage, resulting in battery drain and excessive mobile data consumption.
McAfee promptly reported these apps to Google, leading to swift action by the tech giant. Many of the identified apps have been removed from the Play Store, while others have received updates to ensure compliance with Google’s policies.