The dangers of websites hosting modified APK files that promise full games, cracked apps and other benefits cannot be understated. They are so pervasive online, in fact, that it’s much more likely to get a malware file than the item the uploaders promise.
Content or app piracy can’t be ignored. It is a worldwide phenomenon, and many users are likely unaware that they’re actually doing something wrong. After all, they’ve simply downloaded an app that appears at a generic search on Google’s first results page.
Besides piracy, Android users are looking for trainers and mods for games hosted on the same websites. The attackers who distribute this malware know exactly what people want, and they build infected packages that can serve those requests.
Almost an industry
A recent Bitdefender investigation found tens of thousands of unique “apps” designed to plant malware in Android devices. They deploy annoying full-screen ads, so we categorize them as HiddenAds.
While they might seem innocuous, they’re anything but. Since the number of unique samples we see in the wild is so large, it likely means an automated process continues to churn out these “apps.”
The reason for the quotation marks around the word “app” is simple: these are not the apps, mods, or cracks they claim to be. They just use the names of popular, legitimate apps to trick people into downloading them. You’re not downloading YouTube Add Free Cracked. You’re only getting HiddenAd malware with that name.
As a simple experiment, I performed a basic Google search for cracked Android apps and opened the first website on the list (results might vary depending on your search history). I downloaded the first APK, which promised to be a full game you would need to pay for otherwise.
The browsing experience on that website will differ depending on the platform used. When using Google Chrome on a desktop computer, you’re met with lots, but on the mobile version, the website aggressively tries to persuade you to enable notifications. Those notifications can always be used to push malware links for other, much more serious threats.
I installed the APK on a clean Android with no security solution present, and the result was straightforward. I received a message that the application is not available in my region and that it will be uninstalled. Of course, the message itself is fake and the application is already installed at that point. This is exactly the behavior we observed in the previous investigation.
The new application is not visible in the apps list at the expected location based on its name. It has a transparent icon and a special character that places it at the end of a list. The only way to see that I was infected was to track the name of the APK via ADB commands from a terminal or check the list of installed apps and scroll all the way to the bottom.
Our investigation revealed that the full-screen ads can take a long time to appear, sometimes even two weeks, making it more difficult for the user to connect the two incidents.
The best way to protect against these types of threats is to install Bitdefender Mobile Security for Android. With its new App Anomaly Detection technology, the security solution will inform users that an application is misbehaving and is likely malware. Of course, the problematic APKs will also be flagged as malicious.
This is what you would see if the security solution is present:
Always install apps from official stores, use a security solution, and avoid downloading apps from third-party sources, especially when they promise to deliver mods, trainers, cracks or full versions of apps that you’d normally have to pay for.