Google Play Flooding with 100 + Malicious Apps That Installed In More Than 4.6 Million Android Devices

Researchers discovered over 100 malicious apps from Google play store that downloaded by more than 4.6 android users around the globe.

Most of the malicious apps are commits ad fraud, and the app malicious apps are using the same common code package dubbed “Soraka” (com.android.sorakalibrary.*).

“GBHackers on Security” reported several adware incidents in the past few months, and it’s rapidly growing to exclusively target the Android users to generate millions of dollars revenue.

Malware, Spyware, and Adware can accompany them, become a parasite in user’s systems resulting in unnecessary disruptions, and breaches of the personal data in your Android devices.

In addition to the Soraka code package, Researchers also discovered, in some of the apps, a variant with similar functionality which we dubbed “Sogo” (com.android.sogolibrary.*):

Some of The Malicious Apps Activities

An app called “Best Fortune Explorer App” published under the publisher JavierGentry80 commits to various malicious activities, including trick users to click the ads to generating revenue.

This apps contains more than 170,000 downloads with no Anti-Virus (AV) detections on VirusTotal.

Adware’s performing several filters the following code checks before a fraudulent ad  

• Screen On
• TopActivity
• Interval since installation
• Trigger on/off switches
• Ad Network daily count limit
• Trigger time interval (to space out the ad rendering for each trigger)

Sophisticated filter mechanism helps attackers to avoid detection from automated analysis .

In the ad fraud activities, Upon unlocking the device, the app code removes the background notification service that halts all fraud activity while the phone screen is off and the first Out-of-Context (OOC) ad is rendered a couple of seconds after the device is unlocked.

Attackers using Java-based persistence mechanisms to maintain persistence in the infected Android device.

“This mechanism also allows fine-grain control of who (or what) receives the ad fraud, using the controls of ad serving platforms. The apps render out-of-context ads when the filter conditions are appropriate.”

The White Ops Threat Intelligence team said that they continue to monitor these packages and will identify any emerging packages.

We recommend the removal of any apps listed in the Indicators of Compromise

Package Name:

art.photo.editor.best.hot

bedtime.reminder.lite.sleep

com.am.i.the.best.friends.hh

com.appodeal.test

com.beauty.mirror.lite

com.bedtimehelper.android

com.bkkmaster.android

com.calculator.game

com.card.life

com.cartoon.camera.pro.android

com.code.identifier.android

com.code.recognizer.android

com.color.spy.game

com.cute.kittens.puzzlegame.android

com.cute.love.test.android

com.daily.wonderfull.moment

com.dailycostmaster.android

com.dangerous.writing.note

com.data.securite.data

com.days.daysmatter365.android

com.days.remind.calendar

com.detector.noise.tool

com.dodge.emoji.game

com.dog.bark.picture.puzzle

com.drink.water.remind.you

com.ezzz.fan.sleep.noise

com.fake.call.girlfriend.prank2019

com.fakecaller.android

com.fake.caller.plus

com.false.location

com.fancy.lovetest.android

com.fast.code.scanner.nmd

com.filemanagerkilopro.android

com.filemanagerupro.android

com.filemanageryo.android

com.filemanagerzeropro.android

com.find.difference.detective.little

com.find.you.lover.test

com.frame.easy.phone

com.frank.video.call.lite

com.free.code.scanner.nmd

com.free.lucky.prediction.test

com.funny.lie.truth.detector

com.funny.word.game.english

com.game.color.hunter

com.ice.survival.berg

com.idays.dayscounter.android

com.important.days.matter

com.instanomo.android

com.isleep.cycleclock.android

com.led.color.light.rolling

com.lite.fake.gps.location

com.lovetest.plus.android

com.love.yourself.women

com.lucky.charm.text

com.lucky.destiny.teller

com.magnifying.glass.tool

com.math.braingame.puzzle.riddle

com.math.iq.puzzle.riddle.braingame

com.math.puzzles.riddle.braingame

com.multiple.scanner.plus.nmd

com.my.big.days.counter

com.my.constellation.love.work

com.my.pocker.mobile.mirror

com.nanny.tool.data

com.nice.mobile.mirror.hd

com.nomophotoeditor.android

com.non.stop.writing

com.phone.lite.frame

com.phone.mirror.pro

com.pocker.pro.mobile.mirror

com.prank.call.fake.ring

com.phonecallmaker.android

com.pro.test.noise

com.puzzle.cute.dog.android

com.scan.code.tool

com.simple.days.counter

com.sleep.comfortable.sounds

com.sleep.in.rain

com.sleepassistantool.android

com.sleeptimer.android

com.smart.scanner.master.nmd

com.test.find.your.love

com.test.fortune.tester

com.test.lover.match

com.tiny.scanner.tool.nmd

com.wmmaster.android

com.word.fun.level.english

good.lucky.is.coming.hh

mobi.clock.android

my.lucky.goddness.today.test

newest.android.fake.location.changer

nmd.andriod.better.calculator.plus

nmd.andriod.mobile.calculator.master

nmd.android.best.fortune.explorer

nmd.android.better.fortune.signs

nmd.android.clam.white.noise

nmd.android.fake.incoming.call

nmd.android.good.luck.everyday

nmd.android.location.faker.master

nmd.android.multiple.fortune.test

nmd.android.scanner.master.plus

nmd.android.test.what.suitable

photo.editor.pro.magic

pic.art.photo.studio.picture

relax.ezzz.sleep.cradle

super.lucky.magican.newest

test.you.romantic.quize

well.sleep.guard.relax

your.best.lucky.master.test.new

com.ssdk.test

bedtime.reminder.lite.sleep

com.frank.video.call.lite.pro.prank

com.personal.fortune.text

com.daily.best.suit.you

com.false.call.trick