HiddenAd or HiddAd are icon-hiding adware functions. The prime motive of HiddAd is to generate income by aggressive ads. So long as HiddAd stays on the machine, it is going to generate income for the malware creator. To make uninstalling tough, malware authors disguise the applying’s icon from the applying drawer. In addition they use completely different misleading methods to make uninstallation much less intuitive to the customers.
HiddAd is just not a brand new factor for the Google Play Retailer. We’ve seen many such malware functions on the Google Play Retailer within the final 3-4 years.
- In Might 2018, researchers discovered 38 HiddAd functions on the Google Play Retailer disguised as video games and schooling functions. These functions have been discovered to be displaying advertisements and redirecting customers to put in one other utility. For hiding the applying icon, these functions used setComponentEnabledSettings API. These functions have added one other layer of deception by utilizing completely different names on the Google Play Retailer and completely different utility names after set up. This title change made it much more tough for the customers to establish the app and take away it from their gadgets.
- In the identical month, one other researcher discovered the HiddAd utility on Google Play Retailer that was forcing customers into leaving 5-star rankings as a way to take away advertisements from the app. That is to extend its attain, as a very good ranking was supposed to extend its obtain likelihood. In June 2018, a HiddAd utility bike racing sport was discovered, making uninstallation tough by utilizing machine admin permission.
2019 is named the 12 months of HiddAds, as many such functions have been reported in that 12 months.
- Within the month of Feb 2019, 40 HiddAds have been reported to be utilizing social media to unfold.
- In August, 85 Pictures and Gaming functions recorded timestamps and began exhibiting advertisements half-hour after the primary launch.
- In September 2019, 25 new HiddAds have been reported utilizing configuration information to cover their icon.
- Equally, in Oct, one other 15 functions have been reported that used misleading utility icons and names that resemble a system utility.
We noticed related instances within the 12 months 2020 associated to the HiddAd functions. In Feb 2021, the up to date model of the Barcode scanner utility with 10 million downloads was discovered to be HiddAd.
Fast heal researchers additionally contributed to this HiddAds by reporting and eradicating a number of HiddAds from Google Play Retailer.
- In August 2018, we discovered 8 HiddAd functions on Google Play Retailer which have been utilizing utility names reminiscent of Google Play Service or Google Play Retailer and icons of real apps reminiscent of Google Play Retailer, default Android icon, or YouTube.
- In September 2019, we reported 29 HiddAds with 10 million+ downloads utilizing completely different methods to cover their code.
- In March 2020, Fast Heal researchers reported one other 15 HiddAds to Google.
Lately we discovered 14 such functions on Google Play Retailer. The obtain rely of all these functions is greater than 6 million. These functions are HiddAd malware and execute themselves with out person interplay. We’ve denoted them by naming them “Autolauncher HiddAds.” Fig.1 reveals icons of malicious functions.
Fig.1 Software icon
Now let’s take a look into one in all these functions.
Software Title: Windy Clear
MD5: 2e4649e88bd9ae39d66b92f473fae8e9
As quickly as we put in the applying, it instantly began its exercise. We didn’t must take any motion as we didn’t even click on on its icon to run the applying. It hides its icon from the applying drawer and begins displaying overlapping pop-up ads. Fig. 2 reveals pop advertisements proven by malicious functions.
Fig.2 Malware utility exhibiting advertisements
Within the background, as quickly because the set up is accomplished utility requests the promoting server. It sends details about OS, cellphone, and so forth. In response, it will get encrypted data in regards to the commercial.
Fig.3 Malware makes this request as it’s put in
This utility makes use of a broadcast receiver to execute the code on varied system broadcasts: –
Fig. 4 Broadcast Receiver’s intent filter
These functions present aggressive advertisements overlapping different functions, which could be very annoying for the customers who set up them. Some customers have expressed their anger by writing dangerous critiques in regards to the utility.
Fig.5 Customers expressing their anger
As illustrated within the following desk, all these functions are reported from the Instruments class. They declare to offer free android cleanup and enhancement packages, cellphone acceleration, CPU cooling, rubbish cleaner, battery saver, virus scanning, and so forth. They use these claims to achieve out to extra customers and enhance the obtain rely. Every utility is revealed from a unique developer account, however all of them have the same code construction and malicious habits. Most of those functions have been just lately launched on Google Play Retailer.
Fig. 6 Software info
IOC Record:
Fast Heal Safety Labs detects these apps with variants of Android.Hiddad:-
Conclusion:
The above-mentioned malware functions behave otherwise than the opposite malware we reported earlier. Robotically launching functions with out person interplay is a harmful weapon that may be misused to hurt the person’s machine and information. We might even see extra malware functions utilizing such methods sooner or later. Fast Heal’s Safety Lab repeatedly checks functions from Google Play Retailer for such malware.
The applying ensures to bombard you with pop-up ads. In case you have the Hiddad adware in your gadgets, we advocate you to take away it instantly.
Tricks to preserve you secure from such malware functions:
- You shouldn’t fall for claims made by utility builders.
- You need to learn critiques as it could give some concept in regards to the utility’s working.
- Attempt to restrict your self to recognized apps from recognized builders and preserve solely these apps on cell which are actually required.
- Use a dependable cell antivirus (like Fast Heal Complete Safety) that may forestall pretend, malicious apps, adware, and so forth., from getting put in in your cellphone.
Digvijay Mane