Android users warned of new adware that has already infected MILLIONS of devices


Cyber security experts claim millions of Android devices may have been infected by a devastating new form of adware after downloading apps from the Google Play Store.

Researchers from SophosLabs have identified 47 apps which it says flood a user’s device with advertisements displaying them on screen even if the apps are shut down.

SophosLab says that while Google has removed some of the apps from the Google Play Store some still remain and are available to download.

The apps in question have been downloaded more than 6 million times, SophosLabs said.

The apps contain the MarsDae-A library that continuously serves pop up ads on the infected devices.

MarsDae runs on Android version 2.3 through to Android 6.0 on a variety of smartphones and tablets including those from Samsung, Huawei, Meizu, Mi and Nexus.

A full list of infected apps can be found on the SophosLabs website, some of which are photo editor apps, flashlight, Wifi boosters, file managers, Sudoku puzzles and weather apps.

SophosLab highlighted one of the apps, which was available to download from the Google Play Store and which had been downloaded more than 50,000 times.

The app Snap Pic Collage Color Splash contained the MarsDae-A library adware and anyone who downloaded it would be bombarded with pop up ads that appeared on their home screen.

The ads even appeared if the user went into settings and force stopped the app.

In a post on its website, SophosLabs detailed how the MarsDae adware works on Android versions 5 and 6:

Once dropped on an Android 5 and 6, the library repeats a series of steps to keep the ads running.

1. It runs code that kicks off a number of processes.
2. It creates a file, then locks it.
3. Each process creates another file. For example, Process A creates a2 and repeatedly checks if Process B has created file b2, and vice versa.
4. If Process A finds file b2, it means Process B has started and locked file b1. Process A can delete file b2. Process B will do the same thing for file a2.
5. Process A keeps monitoring the lock status of file b1 while Process B monitors file a1. If any file is unlocked, it means the related process is dead. Then another process can restart it again.

“As clever as the technique may be, all it does in the long run is ruin each app’s reputation on Google Play, SophosLabs said

“Annoyed users have made their unhappiness known.”

“If you see these apps in Google Play, don’t download them. We’ll continue working with Google to get the remaining apps removed.

“The continued onslaught of malicious Android apps demonstrates the need to use an Android anti-virus.

“By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.”

SophosLabs say they are continuing to work with Google to ensure the remaining apps are removed from the Google Play Store.

In the meantime, the advice to users is to not download any of the apps on the list and to make sure you always have antivirus software installed on your device.


Comments are closed.