One of the most common ways of spreading Android malware – including malware found on the official Google Play Store – is by masquerading as a legitimate popular application. The last such example that we discussed on WeLiveSecurity was a fake Dubsmash app andAndroid/TrojanDropper.Mapin compromising tens of thousands of users’ devices. In order to help make Google Play a safer place for Android users, ESET continues to monitor the official Android app market for malicious or potentially unwanted applications.
This has led to the discovery of another threat on Google Play, which has so far been downloaded more than 200,000 times. This time the trojan impersonated the famous games Pou and Subway Surfers, each with more than hundreds of millions of downloads. The apps pose as Cheats for Pou, Guide For SubWay and Cheats For Subway, claiming to offer the same application functionality in apps. The payload of these applications was to deliver ads to users at regular intervals.
While ad-supported applications are common in the Android ecosystem, there’s a clear boundary of behaviors that ESET cannot condone. These particular AdDisplay PUAs contain specialized self-protection functionalities that not only make the removal of the app from the Android device more difficult, but also help it evade detection by Google Bouncer in the first place.
When users realize that the apps are exhibiting very unusual behavior and try to uninstall them, they will find that this is far from easy – the apps will ask the users to activate the device’s administrator rights. Thus, users may have difficulty with removing this AdDisplay threat. This PUA also uses an interesting anti-Bouncer technique to avoid being blocked by the Bouncer filter before it is released on Google Play.