A group of four apps, with more than one million downloads in total, are listed on Google Play and have been infected with HiddenAds malware.
The apps, released by developer Mobile apps Group, would be “Bluetooth Auto Connect”, “Driver: Bluetooth, Wi-Fi, USB”, “Bluetooth App Sender” and “Mobile transfer: smart switch”.
The discovery was made by security experts at Malwarebytes, who published an advisory on the threat on Tuesday.
“Our analysis of this malware begins with a search for an app named Bluetooth Auto Connect,” the team wrote. “After initial delay, malicious app opens phishing sites in Chrome.”
According to Malwarebytes, phishing sites vary in content, with some being harmless sites used to produce pay-per-click and others being more dangerous phishing sites that attempt to trick users.
“For example, a site includes adult content that leads to phishing pages telling the user that they have been infected or that they need to update,” the company wrote.
Malwarebytes explained that Chrome tabs remain open in the background, even when the smartphone is locked.
“When the user unlocks their device, Chrome opens with the latest site. A new tab opens frequently with a new site, and therefore unlocking your phone after several hours means closing multiple tabs. Browser history user will also be a long list of malicious phishing sites.”
According to the advisory, the evidence of malicious behavior spotted by the team indicates that the malicious tools are more than just adware that circumvents Google Play Protect detection.
“With a heavy dose of obfuscation and harmful phishing sites, this is clearly the malware we know as the HiddenAds Trojan,” Malwarebytes warned. “Thanks to our Malwarebytes support team and our customers, we were able to track down this nasty malware.”
The advisory comes two months after NCC Group spotted an enhanced version of the SharkBot mobile malware resurfacing on Google’s Play Store.
