Android adware tricks ad networks into thinking it's an iPhone to make more money

Google has recently removed 22 Android apps from the Play Store. The apps were removed for abusing Android devices to load and click on ads behind the users' backs.

Also: Best Green Monday 2018 deals: Business Bargain Hunter's top picks

The Google Play Store has been plagued by an adware epidemic these past few months, as ZDNet detailed in a previous article.

What made this particular Android adware campaign stand out wasn't the fact that the infected apps clicked ads behind users' backs, but the fact that the apps disguised the Android device as an iPhone in the eyes of online advertisers.

The reason for this highly unusual behavior is that ad networks value traffic from Apple devices more than Android, Linux, or Windows. This particular adware gang appears to have noticed this small detail and reacted accordingly.

22 adware apps found, downloaded more than 2 million times

Sophos Labs, the cyber-security firm which discovered these malicious apps and reported them to Google last month, said this adware operation appears to have started around June, this year.

Sophos malware researcher Chen Yu said the company identified 22 Android apps part of this campaign, all which have been collectively downloaded more than two million times from Google's official Play Store. Of the 22 apps, the most popular app was Sparkle, an Android flashlight app downloaded more than one million times.

Curiously, three of the 22 apps were created back in 2016 and 2017, and earlier versions were deemed clean prior to the June releases, suggesting that the app maker, most likely the same dev, had a change of heart regarding the apps' monetization strategy.

In a detailed analysis of the adware's modus operandi published last week, Chen said this particular strain was more aggressive than other previously discovered Android adware families.

Adware would re-start itself if shut down

The adware, which Sophos detects as Andr/Clickr-ad, would start a hidden browser window, change the browser's UserAgent string to an iPhone, access particular pages, and mimic clicks on ads shown on the page, generating a profit for the adware operator.

Must read

• Fortnite's battle with Android security problems is just getting started (CNET)
• Android Monero-mining malware can destroy phones (TechRepublic)

The aggressive part, Chen said, was that these apps also contained code that automatically re-started themselves after three minutes if the user would have closed its process. Chen said this would lead to an increase in battery consumption on infected phones.

Furthermore, just like all modern adware strains, Andr/Clickr-ad also contained the ability to download and run other files, but the operators of this adware didn't seem interested in abusing such functionality, being content with only generating profits via ad fraud.

Sophos published the list of all 22 apps that contained the malicious adware code. Chen said the same developers had also published iOS apps on the iTunes Store, but these apps didn't appear to include the ad-clicking code.

Cybercrime and malware, 2019 predictions

Related stories:

• US iOS users targeted by massive malvertising campaign
• Google Play Protect analyzes every Android app that it can find on the internet
• Meet the malware which turns your smartphone into a mobile proxy
• Senator blasts FTC for failing to crack down on Google's ad fraud problems
• Many free mobile VPN apps are based in China or have Chinese ownership
• Two iOS fitness apps tricked users into making TouchID payments