Researchers at Malwarebytes have discovered four malicious apps listed on Google Play, all created by app developers Mobile Apps Group.
The apps are infected with the HiddenAds malware, as were older versions of the same apps – but the developer is still listed on the Play store.
Each of the four apps are designed to enable a Bluetooth connection with other devices, and have amassed over a million downloads between them.
The apps delay malicious behaviour for a few days to help evade detection, but after the initial delay, the app starts to open websites in Chrome. Some of these websites are harmless – designed purely to generated pay-per-click revenue for the developer, but others lead to phishing sites that aim to trick users into parting with legitimate credentials or personal information.
One example from the researchers is a page containing adult content that leads to a phishing page telling the user they’ve been infected with malware.
Look out for this behaviour
The malware opens the websites even when the phone is locked, so when you come to unlock your phone you may find a lot of tabs open in your Chrome browser that you don’t remember opening. The list of sites will also be in your browser history.
Also look out for popups urging you to take action. Two examples from the researchers shows the message
“Please wait! Your LG may be running slowly. To clean your device, stay on the page and install the recommended app.”
The malicious Android apps are called:
- Mobile transfer: smart switch
- Bluetooth App Sender
- Driver: Bluetooth, Wi-Fi, USB
- Bluetooth Auto Connect
If you’ve downloaded any of these apps, you should remove them now.
To protect yourself from malware and phishing on your Android device, we recommend you install our free app, Trustd for Android.
It uses deep learning of malware characteristics to identify malicious apps on your phone, and helps you to remove them. If you’re worried about mobile phishing, subscribe to Trustd Plus so you can open messages, click links and browse the web safely, knowing we’ll stop any phishing or malicious sites from automatically opening.