Android Apps With a Million Downloads Led Users to Phishing Sites

Written by

A group of four apps, counting over a million downloads overall, are listed on Google Play and have been infected with the HiddenAds malware.

The apps, published by the developer Mobile apps Group, would be 'Bluetooth Auto Connect,' 'Driver: Bluetooth, Wi-Fi, USB,' 'Bluetooth App Sender,' and 'Mobile transfer: smart switch.'

The discovery was made by security experts at Malwarebytes, who published an advisory about the threat on Tuesday.

"Our analysis of this malware starts with us finding an app named Bluetooth Auto Connect," the team wrote. "After the initial delay, the malicious app opens phishing sites in Chrome."

According to Malwarebytes, the content of the phishing sites varies, with some being harmless sites used to produce pay-per-click and others being more dangerous phishing sites that attempt to trick users.  

"For example, one site includes adult content that leads to phishing pages that tell the user they've been infected or need to perform an update," the company wrote.

Malwarebytes explained that the Chrome tabs remain open in the background, even while the smartphone is locked.  

"When the user unlocks their device, Chrome opens with the latest site. A new tab opens with a new site frequently, and as a result, unlocking your phone after several hours means closing multiple tabs. The user's browser history will also be a long list of nasty phishing sites."

According to the advisory, the evidence of malicious behaviors spotted by the team indicates the malicious tools are more than just adware bypassing Google Play Protect detection.

"With a heavy dose of obfuscation and harmful phishing sites, this is clearly the malware we know as Trojan HiddenAds," Malwarebytes warned. "Thanks to our Malwarebytes support team and our customers, we were able to track down this nasty malware."

The advisory comes two months after NCC Group spotted an upgraded version of the SharkBot mobile malware resurfaced on Google's Play Store.

Update November 10, 2022: A Google spokesperson reached out to Infosecurity Magazine and said, "The apps identified in the report are no longer available on Google Play and the developer has been banned."

What’s hot on Infosecurity Magazine?