Threat Research

HiddenAds campaign on Play Store with 15M+ downloads discovered by Avast

Jakub Vávra, 23 June 2020

Avast researchers discover 47 apps on Play Store with intrusive ads and stealth features.

Avast researchers have discovered a large campaign of HiddenAds on the Google Play Store. HiddenAds refers to a family of Trojans that disguise as safe and useful applications, but in fact only serve to display intrusive ads to the user. The discovered apps mask as games and have a timer-triggered hide app icon feature alongside the ability to display device-wide ads. The apps have over 15 million combined downloads on the Play Store.

The initial detection was made through similarities with a previous HiddenAds campaign that was also present on the Play Store. Upon further analysis of the app through apklab.io, Avast researchers were able to identify a wider campaign of 47 apps through shared activities, features, and network traffic. 

It became apparent that these apps are disrupting the user experience based on Play Store reviews. This combined with the apps’ ability to hide their icon and display ads outside the app confirmed that they are part of the HiddenAds family.

Apps like these are considered adware, a type of malware that bombards you with intrusive and consistent ads and can steal your personal information, track you online and more. 

Features to look out for

The main shared feature across these apps is the appearance of a mobile game. Further research showed the games are generally a re-package of an older version of the game with added layers of ads and the hide icon ability. Once the user downloads the app, a timer starts within the app. The user is allowed to play the game for a set period of time, after which the timer triggers the hide icon feature of the app.

Once the icon is hidden, the app starts to display ads throughout the device without needing further actions from the user. The apps have the ability to draw over other apps to display timed ads that cannot be skipped. Several apps even open the browser to display intrusive ads.

Due to the hidden icon, the user may be unsure about the origin of the ads. The app can still be uninstalled through the app manager features of the device but requires the user to search out the source of the ads.

Another shared attribute of these apps is that the developer only has a single app on their developer profile with a generic email address. Similarly, the Terms of Service are identical across the discovered apps, likely pointing to an organized campaign by one actor. 

The apps’ reviews showcase the frustration of the users that downloaded the apps:

Spread

Combined, the apps have been downloaded more than 15 million times. Below is a table of the most downloaded apps:

App Name

Downloads

Draw Color by Number

1,000,000

Skate Board - New

1,000,000

Find Hidden Differences

1,000,000

Shoot Master

1,000,000

Spot Hidden Differences 

500,000

Dancing Run - Color Ball Run 

500,000

Find 5 Differences

500,000

Joy Woodworker

500,000

Throw Master

500,000

Throw into Space

500,000

Divide it - Cut & Slice Game

500,000

Tony Shoot - NEW 

500,000

Assassin Legend

500,000

Stacking Guys 

500,000

Save Your Boy 

500,000

Assassin Hunter 2020

500,000

Stealing Run

500,000

Fly Skater 2020

500,000

Disc Go!

500,000

Based on the conducted research, it appears the campaign initially mainly targeted users in India and South East Asia. The apps likely spread through game ads focused in these regions. Due to the generic developer details and Terms of Service, the developers of the HiddenAds campaign remain unknown.

 

This gives us a snapshot of the initial spread, the current prevalence of these apps differs. Based on Avast’s internal statistics, this HiddenAds campaign is currently most prevalent in Brazil, India and Turkey.

Percentage spread of Avast users who have downloaded at least one of the HiddenAds apps in the last two weeks by country

The initial spread across other regions, that can be seen in the map above, is likely “collateral damage” caused by the apps’ presence on the Play Store. At the time of posting, Google has removed 30 of the apps.

To avoid downloading malicious apps in the Play Store, be sure to follow these five simple steps:

  • Carefully check the permissions the app requests before installing it. See what the app is asking to access, if the app is asking for data it does not need, it might be a red flag.
  • Read the privacy policy and the terms and conditions.
  • Read the user reviews. If there are a large number of negative reviews, you might want to reconsider downloading the app.
  • Download an antivirus app on your mobile device like Avast Mobile Security so that adware and other malicious apps are identified and blocked.