This time the checkmate has been done by cybercriminals. They have been successful in distributing malware to several Android users by hiding it within a series of apps, which are apparently harmless.

As detected, the malware was sneaked onto the Google Play store disguised as seven different apps, namely, six QR readers and one ‘smart compass’. So, by this, the malware has bypassed security checks by hiding its true intent with a combination of clever coding and delaying its initial burst of malicious activity.

Following installation, the malware waits for six hours before it begins work on its true purpose. This includes serving up adware, flooding the user with full-screen adverts, opening adverts on web pages, and sending various notifications containing ad-related links.

All of this activity was basically designed with the intent of generating click-based revenue for the attackers, even when the app itself isn’t actively running. The general purpose and nature of the apps allowed the attackers to pull in a large number of downloads. Discovered by researchers at SophosLabs, the malware dubbed Andr/HiddnAd-AJ. This again has been thought to have infected at least a million users, as one of the malicious apps was downloaded 500,000 times before being pulled by Google.

Image Credit: ZD Net

Now, crucially, in order to hide the infectious nature of the download, no malicious operations would run on an infected device for the first few hours after installation. However, once a period of grace has passed, the configuration download from the server would run, providing a list of URLs, messages, icons, and links, all for pushing ads onto the victim.

In addition to the malicious activity initially being hidden, the malware is helped by the code for the adware being embedded in what looks like a standard Android programming library within the files of the app.

In addition to the standard programming subcomponents of the app, the attackers add a ‘graphics’ section, which looks innocent but contains instructions for getting all the information and files required for running malicious adverts.

Upon discovering the malicious apps, Sophos informed Google, which has now removed the apps from the Play Store.


Even after this, despite Google’s failure to spot the malicious nature of these apps, Sophos recommends Android users to continue downloading apps from the Play Store because it’s at least safer than third-party Android app stores.

Paul Ducklin, a senior technologist at Sophos, also added to this, that, “If you find a dodgy app in the Play Store, it is worthwhile reporting it, on the computer security principle that an injury to one is an injury to all. After all, if your report helps to convince Google to remove the offending app, you just played a positive part in preventing anyone else from downloading it in future.”

However, to this, a Google spokesperson also regarded that Sophos had informed them about the malware and that it has now been removed from the Play Store.


Nonetheless, even after this, with a user base that is large, even a small percentage of malicious apps slipping through the net can result in millions of users passively becoming victims.