Google Play: fighting an uphill battle against Android adware

Google’s official Play marketplace is waging an uphill battle against Android apps that display an unending stream of popup ads even when users try to force them to stop, researchers said Friday.

The researchers, from UK-based SophosLabs, said they have found a total of 47 apps in the past week that collectively have racked up as many as 6 million downloads. They all use a third-party library that bombards users with ads that continue to display even after users force-close the app or scrub memory. In a blog post, SophosLabs said Google has removed some of the privately reported apps while allowing others to remain.

The MarsDae library that’s spawning the popup torrent supports Android versions 2.3 through 6, as well as Samsung, Huawei, Mizu, Mi, and Nexus devices. One app that incorporates MarsDae, SophosLabs said, is Snap Pic Collage Color Splash, which remained available on Google servers as this post was being prepared. Snap Pic has been downloaded from 50,000 to 100,000 times. Once installed, it displays ads on the Android home screen. Even after a user uses the Android settings to force close the app, the ads resume a few seconds later.

How it works

According to Sophos, the MarsDae library takes the following steps to keep ads appearing on devices running Android versions 5 and 6:

  1. It runs code that kicks off a number of processes.
  2. It creates a file, then locks it.
  3. Each process creates another file. For example, Process A creates a2 and repeatedly checks if Process B has created file b2, and vice versa.
  4. If Process A finds file b2, it means Process B has started and locked file b1. Process A can delete file b2. Process B will do the same thing for file a2.
  5. Process A keeps monitoring the lock status of file b1 while Process B monitors file a1. If any file is unlocked, it means the related process is dead. Then another process can restart it again.

A full list of apps using the library include:

PUAs on Google Play

This is just the latest in a growing list of PUAs (potentially unwanted apps) SophosLabs has found on Google Play. Other recent examples include:

  • Star Hop and Candy Link which look like a couple of harmless games but hide malware that can switch on the device’s wifi and pummel the victim with spam.
  • Android XavirAd and Andr/Infostl-BK, which collects the user’s personal information, including email address, and sends them to a remote server.
  • Super Free music player which uses sophisticated techniques formerly found in BrainTest malware to bypass detection by Google and security researchers.

Defensive measures

As we mentioned above, SophosLabs has identified and protected Sophos users against this adware library.

Our advice: If you see these apps in Google Play, don’t download them. We’ll continue working with Google to get the remaining apps removed.

The continued onslaught of malicious Android apps demonstrates the need to use an Android anti-virus.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.

What happens

In the example below, we see the library used in an app called “Snap Pic Collage Color Splash.” The app has been downloaded from Google Play more than 50,000 times.

Once the app is installed, it will pop up ads on the user’s home screen like this:

Even if you force stop the app from system settings, the ads will resume after few seconds.

To Top