In Google Play Store found nearly half a hundred of malware programs that mask under fitness applications

Specialists from Avast detected about 50 advertising applications that mask under applications for health and wellness and that in total wereunloaded more than 30 million times.

All applications are bonded with each other through side libraries that bypass limitations for side services, realized in the latest Android versions. They show full-screen advertisement and in some cases with the use of tricks can force users install additional advertising software.

Researchers discovered in Google Play Store two versions of malware software under the name TsSdk. Older version of this application was uploaded 3,6 million times and in located in a shop between simple games, photo editors and fitness – applications.

After upload, both applications look legitimate but reflect on the main screen links on unwanted pages and link on Game Center that leads on page with various games. Applications show commercials with every return to home screen and sometimes download on the device unwanted programs.

An example of one of the apps containing TsSDK

New versions of TsSdk found in section music and fitness-applications and were installed approximately 28 million times. Malware code was modified and masked and starts only after victim presses relevant advertisement on Facebook.

Facebook SDK function with the name «deferred deep linking» allows applications to fix, when user pressed the bottom. After pressing, applications reflects additional commercial during the first four hours, and after it rarely or less systematically. However, after unlocking a smartphone and every 15-30 minutes are demonstrated full-screen ads.

Malware does not work properly on Android Oreo 8.0 and later versions. Some of the malware applications are deleted from Google Play Store.

Source: https://blog.avast.com