Site icon Sophos News

Some Android adware apps hide icons to make it hard to remove them

Uninstalling an Android app caught pushing adware is normally simple to deal with – click and drag it to the top right of the screen and into the trash can.

App gone, ideally followed up with a public-spirited one-star rating on the Google Play store to alert others to its bad behaviour.

But what happens if there’s no home screen or app tray icon?

New research by SophosLabs has discovered 15 apps on Google Play that install without icons as part of a campaign to keep themselves on the user’s device.

The motivation is to keep pushing obtrusive ads for as long as possible. But for some of the apps, the evasion doesn’t stop with disappearing icons.

For example, Flash On Calls & Messages (1 million installs since January 2019) tries to convince users it never installed properly in the first place.

When first launched, users are greeted with the message “This app is incompatible with your device!” The app then opens the Play store and navigates to the page for Google Maps to distract users from the nature of this failure.

Others appear to install, complete with icons, before removing these some days later. Another trick is to use two different names and icons depending on where it is displayed. SophosLabs observed:

Nine out of the batch of 15 apps used deceptive application icons and names, most of which appeared to have been chosen because they might plausibly resemble an innocuous system app.

As is so often the case, there is no way to spot this kind of app just by looking at it before installation.

The list of deceptive apps included QR code readers, image editors, backup utilities, a phone finder, and one that claimed to clean the device of private data.

All detected by SophosLabs were from 2019, with anywhere from 1,000 to 1 million installations.

All were taken down after SophosLabs reported them to Google in July, which should mean they were automatically de-installed soon after that (see SophosLabs analysis for the full list).

Disgruntled users

Although these apps were different in intention to the ‘fleeceware’ Android apps publicized by SophosLabs in September, a common theme is that many users gave them negative reviews which didn’t seem to persuade Google to take a closer look.

In the latter case, that was despite those apps charging users outrageous sums of money once a trial period had elapsed.

We said it then and we’ll say it again – there must be a way for Google to spot fraudulent apps before they get their claws into the smartphones of users.

Exit mobile version