ESET researchers have observed an increased number of apps on Google Play using social engineering techniques to boost their ratings, ranging from legitimate apps, through adware to malware.
Among these falsely high-ranking apps, an aggressive ad-displaying trojan was spotted, installed by up to 5000 users as a tool to download content from YouTube. The app, detected by ESET as Android/Hiddad.BZ, uses several deceptive methods to trick users into installing its intrusive ad-displaying component and at the same time secure a good rating in the store. Similar deceptive techniques have recently been used in a number of ad-displaying apps on Google Play with a total of up to 800,000 installs, as found in ESET’s other recent research.
These apps “force” users into leaving high ratings under various pretences, which in turn makes them more likely to be downloaded in the future. What they have in common is a usually non-existent functionality; pop-up screens requesting five-star rating to proceed, unblock full content or remove ads; and an illogically high rating.
If you’ve downloaded this app, you will see both “Music Mania” and “plugin android” in your Application manager, with “plugin android” being the dropped payload responsible for aggressive ads. You will also find “Permissions required” under your device administrators.
Uninstalling the original app in Settings -> Application Manger -> Music Mania won’t be enough to remove the dropped payload. To fully clean your device of Android/Hiddad.BZ, disable its device administrator rights found under Settings -> Security -> Device administrators -> Permissions Required. Then you can proceed to uninstalling the payload by going to Settings -> Application Manger -> plugin android.
Alternatively, use a reliable mobile security solution to detect the threats and remove them for you.
You can read the full article with screenshots of the malware on ESET Ireland’s Official Blog.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.