How Advertising Malware Infected 500k Users via Google Play Apps

When the topic of app security comes up, there’s one piece of advice that constantly arises – “Always download apps from the official app store.” While this is the best advice possible, it is, unfortunately, not entirely foolproof! Apps are still uploaded that skirt around the APK store’s virus detection system. This is the case of the malware called “Andr/HiddnAd-AJ,” which managed to sneak its way onto the app store and infect 500,000 devices before it was caught.

How Did This Happen?


Every so often an app will smuggle its malware so well that Google’s anti-malware service Play Protect won’t catch it. In fact, before they were taken down, at least one of the apps had the “Verified by Play Protect” stamp of approval to state that it was free of malware!

The developers managed to smuggle the malware into the software’s code by making it look like innocent Android system code. To anyone giving a cursory glance over the source code, there wasn’t anything immediately suspicious about it, which made it harder to identify the malware installed within.

Despite this, there is a second layer of defense the app store has against malware: the users themselves. If a user downloads an app infected with malware, they can report the app for removal. The developer’s second method of attack, therefore, is to ensure the malware doesn’t activate right away. Once installed onto the device, this particular malware waited for six hours before springing into action. This is roughly enough time for the user to somewhat forget about the app they installed and covers the app’s tracks better.

This malware package was then bundled into seven apps — six QR code scanners and one smart compass. The apps perform their advertised functions perfectly so as not to arouse suspicion. It’s only after the six-hour mark these innocent-looking apps suddenly morphed into something far worse! Thankfully, these apps are now taken off of the market. While a full list of every infected app hasn’t been released, this picture from Sophos shows a handful of them:


What Does the Malware Do?

The malware itself, “Andr/HiddnAd-AJ”, does what its name suggests; it hides away in the user’s phone and begins producing ads after the six-hour mark. These range from fullscreen advertisements to messages in the notification bar. The malware also has the capacity to “phone home” to the developers, which allows them to direct the malware’s ad campaign if need be.

Other than this, there’s no proof to say that the malware steals information or tries to damage your phone. As such, while the malware is definitely highly frustrating, there’s no need for immediate panic if it strikes.

How Do You Remove It?


If you’ve been hit by this malware, or you believe you’ve been infected by malware in general, it’s worth grabbing a solid antivirus solution that can identify and solve the problem. There’s a wide selection of antivirus services on Android, some being more efficient than others. We’ve personally selected our five best choices for Android antivirus if you want something guaranteed to work!

Malware No More

Despite being the safest place to get Android apps, the Play store isn’t perfect! With the recent attack of seven apps loaded with malware, it’s a stark reminder on being careful with what we download. Now you know about this threat, how it struck, and how to remove it.

Does this make you more suspicious of apps on the app store? Let us know below!

Image credit: Blogtrepreneur on Flickr

Simon Batt
Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox