How Advertising Malware smuggles Malware into the Google Play Store

“Always download apps from the official app store.” – that’s what people arguing in order to stay away from malware but is this true? Several malware was already found during the past years within the official Store, Google reacted and hardened their systems, as a result, your device gets regularly scanned in order to find malware apps. Google also increased their own security mechanism, so their contribution rules and app restrictions in order to prevent bad people abusing some permissions are a bit better restricted.

Google Malware
Picture Source:


Bad apps

Andr/HiddnAd-AJ was recently discovered,  which managed to sneak its way into the official app store-It infected 500,000 devices before it was caught. Maybe even more, there no specific numbers are given and no one exactly knows if it wasn’t spread via side-loading, because some people/platforms provide ‘mirrors’ in order to give people the ability to sideload certain apps without the need to download it over the official Play Store. The app itself was taken down by Google in order to prevent further damage. At least one of the infected apps had the “Verified by Play Protect” stamp of approval to state that it was free of malware!

How does it work?

The malware developer managed to smuggle the malware into the software’s code by making it look like an innocent Android system code to fool Google’s scanning algorithm. Some of the infected apps were open source, which means there wasn’t anything immediately suspicious about it because everything looked legitimate. This entire ‘hiding’ made it harder to identify the malware.


Infected apps
Some infected apps.


If a normal user downloads an app infected with malware, they can report the app for removal. The attacker’s second method of attack, therefore, is to ensure the malware doesn’t activate right away so people might not immediately report or notice it.

Once the malware app is installed on the device, it waits several hours to get activated. There are also other apps which checking your battery status, or if you’re on a cellular network or VPN in order to hide malicious behavior. This is roughly enough time for the user to somewhat forget about the app they installed and covers the app’s tracks even better.

The malware with the name “Andr/HiddnAd-AJ”, does what its name suggests, it basically hides away in the user’s phone and begins producing ads after a six-hour mark. Fullscreen advertisements or ads which were delivered to the notification bar where then displayed. The malware itself also has the capacity to call home to the developers, which allows them to direct the malware’s ad campaign it acted like a C&C server mechanism.


The apps aren’t any threat anymore since they got removed from the Play Store, if you’re still infected you can install an AV solution in order to scan your device for malware apps. Alternatively, you can use the Google Play Store and manually press the ‘scan my device’ button which then scans your device, once something suspicious is found you get a warning and a dialog if you like to remove it or not.


  1. Check if the app you like to use/install contains apps
  2. Check reviews or reports if the app or it’s developer has a good reputation
  3. If the app doesn’t need any internet in order to display additional content, simply block it with Android’s own firewall (it’s integrated into the ‘Apps’ – ‘details’ dialog which gives you the ability to disable any internet connection for this app.
  4. Scan your device for malware on a regular basis if you often install new apps.
  5. Check the permissions. Newer Android versions provide a new mechanism to e.g. restrict/block certain permissions.
  6. Freeze the app if you don’t need it. If you’re on a rooted device you can ‘block’ it from running, simply restrict it’s activities. (Downside: You need root).
  7. If the developer offers some checksums, verify the binaries, in our case, the app in order to ensure that you won’t install any fake app which might be possible infected/compromised.
  8. Install as less as possible, you don’t need 400 apps most people just need a handful apps on it’s daily journey. Consider if there apps which combinates some functions, e.g. eMail with Calendar etc.

Final Words

Google’s Play Store is far away from being perfect, alternatives like F-Droid might help unless they get a bigger target to malware developers. Sideloading apps is maybe also a problem here since you need to scan or verify your downloaded apps yourself, which is for the most people not easy enough or they need to manually allow root over adb (default disabled).

I think this yet again shows that if smart people want to bypass something they will and it’s only a matter of time, however, Google reacted more or less quickly and they changed their algorithm once again to detect the new threat.

One solution or alternative could be to prefer (in this case) ads without any advertisements or in-app purchases so you would immediately reveal that something shady is going on if the app starts displaying ads after some time.

I think the Play Store brings some kind of protection to it with it’s new mechanism but it’s like any other AV solution, far away from being perfect.