Over 60K Adware Apps Posing as Cracked Versions of Popular Apps Target Android Devices

Cyber Security Threat Summary:
“Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular applications to serve unwanted ads to users as part of a campaign ongoing since October 2022. ‘The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue,’ Bitdefender said in a technical report shared with The Hacker News. ‘However, the threat actors involved can easily switch tactics to redirect users to other types of malware such as banking Trojans to steal credentials and financial information or ransomware.’ The Romanian cybersecurity company said it has discovered 60,000 unique apps carrying the adware, with a majority of the detections located in the U.S., South Korea, Brazil, Germany, the U.K., France, Kazakhstan, Romania, and Italy” (The Hacker News, 2023).

Below is a list of some of the applications being masqueraded by the malware:

  • Game cracks
  • Games with unlocked features
  • Free VPN
  • Fake videos
  • Netflix
  • Fake tutorials
  • YouTube/TikTok without ads
  • Cracked utility programs: weather, pdf viewers, etc
  • Fake security programs


    It’s important to note that none of these apps are available on the play store. As such the malware operators need to convince users to download the apps from third-party sites.

    “The distribution is organic, as the malware appears when searching for these kinds of apps, mods, cracks, etc…For example, when the user opens a website from a Google search of a “modded” app, they would be redirected to a random ad page. Sometimes, that page is a download page for malware disguised as a legit download for the mod the user was searching for,” stated researchers at Bitdefender in a new blog post.

    Security Officer Comments:
    The development comes after Bitdefender used a recently announced industry-first app anomaly detection technology incorporated into Bitdefender Mobile Security to uncover the latest malware campaign. According to Bitdefender, none of the apps have an icon or name, making them tricky to spot and uninstall. Once the application is installed, the following message will be displayed on the victim’s device, “Application is unavailable in your region from where the app serves. Tap OK to uninstall." This is meant to be a diversion, enabling the threat actors to download malicious payloads in the background without the victim’s knowledge.

    “The modus operandi is another area of note wherein the adware behavior remains dormant for the first few days, after which it's awakened when the victim unlocks the phone in order to serve a full-screen ad using Android WebView” (The Hacker News, 2023).

    On a good note, Bitdefender says it has “implemented app anomaly detection technology in Bitdefender Mobile Security specifically to detect malicious actions like this”.

    Suggested Correction(s):
    Users should be careful when downloading applications from third-party sites and avoid videos on YouTube offering software cracks, as these are typically embedded with malicious payloads.

    Link(s):
    https://thehackernews.com/2023/06/over-60k-adware-apps-posing-as-cracked.html