Researchers discover 60,000 ‘modded’ Android apps carrying adware
Tens of thousands of “modded” Android apps are installing adware on unsuspecting users’ devices, researchers have found.
The campaign involving some 60,000 apps was detected by cybersecurity company Bitdefender and has been active since at least October 2022.
The campaign preys upon Android device owners who go looking for copies of legitimate applications that have been modified in some way to unlock features, Bitdefender said. The “modded” software isn’t available in traditional app stores.
In its current form, the campaign is more of a nuisance than a serious threat — clogging up a phone with unwanted pop-ups and ads for gambling sites — but it has the potential to cause significant harm.
“Upon analysis, the campaign is designed to aggressively push adware to Android devices with the purpose of driving revenue,” researchers wrote. “However, the threat actors involved can easily switch tactics to redirect users to other types of malware, such as banking Trojans to steal credentials and financial information or ransomware.”
Among the apps spreading the adware were free VPN programs, modified online games and cracked utility programs like PDF viewers.
Given the scope of the malware, and the fact that all 60,000 malicious apps are unique, researchers believe that the campaign is automated.
The malware doesn’t launch until a user tries to install an infected application. The device then shows an error message saying that the app is unavailable in the region and offers to uninstall the program. In reality, the application will soon begin running in the background.
When a user unlocks their phone, the application uses the device’s mobile browser to load a full-page advertisement. It can command the browser to load videos, open tabs, serve notifications, and more.
“The distribution worldwide is all the more impressive given that it's not in any official stores,” Bitdefender wrote. “The malware's operators, however, still need to persuade users to download and install third-party apps, so they've disguised their threat on highly sought-after items you can't find in official stores, even if they were legitimate.”
Modded and fake app developers have taken advantage of a program’s popularity in the past to spread malware, most recently with fake versions of ChatGPT. And in 2020, more than 1 million devices were infected with adware via fake “modpacks” for Minecraft.
James Reddick
has worked as a journalist around the world, including in Lebanon and in Cambodia, where he was Deputy Managing Editor of The Phnom Penh Post. He is also a radio and podcast producer for outlets like Snap Judgment.