It was only last week that researchers from Check Point uncovered a total of six apps laden with the PreAMo ad fraud malware on Google Play which had been installed 90 million times.
Now, the cybersecurity team from Avast have found a further 50 apps relating to lifestyle services which masquerade as legitimate software but are actually adware, and these malicious apps have been downloaded a total of 30 million times.
On Tuesday, Avast published a report on the discovery, in which the apps are linked to each other through third-party libraries that “bypass the background service restrictions present in newer Android versions.”
“Although the bypassing itself is not explicitly forbidden on the Play Store, Avast detects it as Android:Agent-SEB [PUP], because apps using these libraries waste the user’s battery and make the device slower,” the researchers say. “The applications use the libraries to continuously display more and more ads to the user, going against Play Store rules.”
Each app displays full-blown ads to users, and in some cases, will also attempt to lure viewers to install additional adware-laden applications.
The malicious apps include Pro Piczoo, Photo Blur Studio, Mov-tracker, Magic Cut Out, and Pro Photo Eraser. Installation rates range from one million to one thousand.
Referred to as TsSdk, two versions of the app malware have been found on the platform. The older of the two has been installed 3.6 million times and was buried in apps offering simple games, photo editing, and fitness systems.
Once installed, these apps would appear legitimate, but would also drop a number of shortcuts to unwanted pages or services on the Android home screen. A number of apps were also able to add a shortcut to a “Game Center” which would open up to a page advertising different gaming software.
When the screen was turned on, ads would be displayed, and in some cases, the applications would also be able to automatically install additional nuisanceware.
Newer versions of TsSdk were found in music and fitness apps and have been installed almost 28 million times. The code has been revamped and is encrypted, and perhaps in an attempt to stay on a host device longer, will only trigger if a victim clicks on a Facebook ad first.
A Facebook SDK feature called “deferred deep linking” permits these apps to detect such activity. After an ad is clicked, the app will only show additional adverts within the first four hours, and then less frequently and more randomly.
Fullscreen ads, however, are still shown — when the smartphone is unlocked, or every 15 and 30 minutes past the hour.
Avast notes, however, that the malware does not appear to function correctly on Android devices using version 8.0 Oreo or above due to incompatible changes in the background service management systems of these apps.
Avast has contacted Google to request that the apps are removed from Google Play. At the time of writing, a number of apps including Pro Piczoo, Photo Blur Studio, and Mov-tracker appear to have been pulled from the store.
ZDNet has reached out to Google for comment and will update if we hear back.