This week, Symantec Threat Intelligence's May Ying Tee and Martin Zhang revealed that they had reported a group of 25 malicious Android applications available through the Google Play Store to Google. In total, the applications—which all share a similar code structure used to evade detection during security screening—had been downloaded more than 2.1 million times from the store.

The apps, which would conceal themselves on the home screen some time after installation and begin displaying on-screen advertisements even when the applications were closed, have been pulled from the store. But other applications using the same method to evade Google's security screening of applications may remain.

Published under 22 different developer accounts, all of the apps had all been uploaded within the last five months. The similarity in coding across the apps, however, suggests that the developers "may be part of the same organizational group, or at the very least are using the same source code base," May and Zhang wrote.

Most of the applications claimed to be either photo utilities or fashion-related. In one case, the app was a duplicate of another, legitimate "photo blur" application published under the same developer account name—with the legitimate version having been featured in the "top trending apps" category of Google Play's Top Apps charts. "We believe that the developer deliberately creates a malicious copy of the trending app in the hope that users will download the malicious version," May and Zhang concluded.

Phoning home

At first, after installation, the malicious apps appear normally on the Android home screen. But when launched, they retrieve a remote configuration file that includes the malicious code. Keywords associated with the malicious activity, including the code to hide the app's icon, are encrypted in the configuration file, "which we believe is an effort on the malware authors' part to avoid rule-based detection by antivirus scanners," explained May and Zhang.

Once the configuration file is downloaded, the app extracts the settings and changes its behavior accordingly. The app then hides its icon on the home screen and then starts displaying full-screen ads, even when the app is closed. "Full-screen advertisements are displayed at random intervals with no app title registered in the advertisement window, so users have no way of knowing which app is responsible for the behavior," the Symantec researchers noted.

Obviously, these malicious apps are intended to simply generate advertising revenue for their developers. "Thanks to the apps’ ability to conceal their presence on the home screen, users can easily forget they downloaded them," the researchers noted. And without a way to link the ads to a specific app, the developers have a captive audience and are free to keep pushing ads at their user-victims without concern about their apps being uninstalled.