Wednesday, February 15, 2023
HomeCyber SecurityNew HiddenAds malware impacts 1M+ customers and hides on the Google Play...

New HiddenAds malware impacts 1M+ customers and hides on the Google Play Retailer

Authored by Dexter Shin

McAfee’s Cell Analysis Crew has recognized new malware on the Google Play Retailer. Most of them are disguising themselves as cleaner apps that delete junk information or assist optimize their batteries for machine administration. Nevertheless, this malware hides and constantly present commercials to victims. As well as, they run malicious providers mechanically upon set up with out executing the app.

HiddenAds features and promotion

They exist on Google Play though they’ve malicious actions, so the sufferer can seek for the next apps to optimize their machine.

Figure 1. Malware on Google Play
Determine 1. Malware on Google Play

Customers might typically suppose putting in the app with out executing it’s protected. However you could have to vary your thoughts due to this malware. If you set up this malware in your machine, it’s executed with out interplay and executes a malicious service.

As well as, they attempt to disguise themselves to stop customers from noticing and deleting apps. Change their icon to a Google Play icon that customers are conversant in and alter its title to ‘Google Play’ or ‘Setting.’

Figure 2. Hide itself by changing icons and names
Determine 2. The Malware hides itself by altering icons and names

Mechanically executed providers continually show commercials to victims in quite a lot of methods.

Figure 3. A sudden display of advertisements
Determine 3. A sudden show of commercials

These providers additionally induce customers to run an app once they set up, uninstall, or replace apps on their units.

Figure 4. A button to induce users to run app

Figure 4. A button to induce users to run app
Determine 4. A button to induce customers to run app

To advertise these apps to new customers, the malware authors created promoting pages on Fb. As a result of it’s the hyperlink to Google Play distributed by respectable social media, customers will obtain it indubitably.

Figure 5. Advertising pages on Facebook

Figure 5. Advertising pages on Facebook
Determine 5. Promoting pages on Fb

The way it works

This malware makes use of the Contact Supplier. The Contact Supplier is the supply of knowledge you see within the machine’s contacts utility, and you may also entry its information in your individual utility and switch information between the machine and on-line providers. For this, Google offers ContactsContract class. ContactsContract is the contract between the Contacts Supplier and purposes. In ContactsContract, there’s a class referred to as Listing. A Listing represents a contacts corpus and is applied as a Content material Supplier with its distinctive authority. So, builders can use it in the event that they wish to implement a customized listing. The Contact Supplier can acknowledge that the app is utilizing a customized listing by checking particular metadata within the manifest file.

Figure 6. Content providers declared with special metadata in manifest
Determine 6. Content material suppliers declared with particular metadata in manifest

The essential factor is the Contact Supplier mechanically interrogates newly put in or changed packages. Thus, putting in a package deal containing particular metadata will at all times name the Contact Supplier mechanically.

The primary exercise outlined within the utility tag within the manifest file is executed as quickly as you put in it simply by declaring the metadata. The primary exercise of this malware will create a everlasting malicious service for displaying commercials.

Figure 7. Create a malicious service for displaying ads
Determine 7. Create a malicious service for displaying advertisements

As well as, the service course of will generate instantly even whether it is compelled to kill.

Figure 8. Malicious service process that continues to generate
Determine 8. Malicious service course of that continues to generate

Subsequent, they modify their icons and names utilizing the <activity-alias> tag to cover.

Figure 9. Using <activity-alias> tags to change app icons and names
Determine 9. Utilizing tags to vary app icons and names

Customers contaminated worldwide

It’s confirmed that customers have already put in these apps from 100K to 1M+. Contemplating that the malware works when it’s put in, the put in quantity is mirrored because the sufferer’s quantity. In line with McAfee telemetry information, this malware and its variants have an effect on a variety of nations, together with South Korea, Japan, and Brazil:

Figure 10. Top affected countries include South Korea, Japan, and Brazil
Determine 10. High affected nations embody South Korea, Japan, and Brazil


This malware is auto-starting malware, in order quickly because the customers obtain it from Google Play, they’re contaminated instantly. And it’s nonetheless continually creating variants which might be printed by completely different developer accounts. Due to this fact, it’s not straightforward for customers to note such a malware.

We already disclosed this risk to Google and all reported purposes have been faraway from the Play Retailer. Additionally, McAfee Cell Safety detects this risk as Android/HiddenAds and protects you from such a malware. For extra details about McAfee Cell Safety, go to

Indicators of Compromise


App IdentifyBundle IdentifyDownloads
Junk Cleanercn.junk.clear.plp1M+
Tremendous Clearcom.tremendous.clear.zaz500K+
Full Clear -Clear Cacheorg.stemp.fll.clear1M+
Fingertip Cleanercom.fingertip.clear.cvb500K+
Fast Cleanerorg.qck.cle.oyo1M+
Hold Clearorg.clear.sys.lunch1M+
Windy Clearin.cellphone.clear.www500K+
Carpet Clearog.crp.cln.zda100K+
Sturdy Clearin.reminiscence.sys.clear500K+
Meteor Clearorg.ssl.wind.clear100K+



  • 4b9a5de6f8d919a6c534bc8595826b9948e555b12bc0e12bbcf0099069e7df90
  • 4d8472f0f60d433ffa8e90cc42f642dcb6509166cfff94472a3c1d7dcc814227
  • 5ca2004cfd2b3080ac4958185323573a391dafa75f77246a00f7d0f3b42a4ca3
  • 5f54177a293f9678797e831e76fd0336b0c3a4154dd0b2175f46c5a6f5782e24
  • 7a502695e1cab885aee1a452cd29ce67bb1a92b37eed53d4f2f77de0ab93df9b
  • 64d8bd033b4fc7e4f7fd747b2e35bce83527aa5d6396aab49c37f1ac238af4bd
  • 97bd1c98ddf5b59a765ba662d72e933baab0a3310c4cdbc50791a9fe9881c775
  • 268a98f359f2d56497be63a31b172bfbdc599316fb7dec086a937765af42176f
  • 690d658acb9022765e1cf034306a1547847ca4adc0d48ac8a9bbdf1e6351c0f7
  • 75259246f2b9f2d5b1da9e35cab254f71d82169809e5793ee9c0523f6fc19e4b
  • a5cbead4c9868f83dd9b4dc49ca6baedffc841772e081a4334efc005d3a87314
  • c75f99732d4e4a3ec8c19674e99d14722d8909c82830cd5ad399ce6695856666


  • http[://]


Most Popular