Several adware apps aggressively promoted on Facebook as system cleaners and optimizers for Android devices count millions of installs on the Google Play Store.
The apps lack all promised features and push ads while trying to stay on the device as long as possible.
To evade deletion, the apps hide on the victim’s device by constantly changing icons and names, masquerading as Settings or Play Store itself.
The adware apps hijack the Contact Provider Android component, which allows them to transfer data between the device and online services.
The subsystem is invoked every time a new app is installed, so the adware might use it to initiate the ad-serving process. It can appear to the user as if the ads are being pushed by the legitimate app they have installed.
researchers at McAfee the adware apps detected. They note that once installed, users do not need to launch them to see the ads since the adware initiates itself automatically without any interaction.
The first action of these annoying apps is to create a persistent service to display the advertisements. When the process is “killed” (terminated), it immediately restarts.
The video below shows how the adware’s name and icon change automatically and how ads are displayed without user interaction.
Millions of downloads on Google Play
As McAfee comments in the report, users are convinced to trust the adware apps because they see a Play Store link on Facebook, leaving little room for doubt.
This has resulted in unusually high download counts for each type of application, as shown in the list below:
- garbage mancn.junk.clean.plp, over 1 million downloads
- EasyCleanercom.easy.clean.ipz, over 100,000 downloads
- power doctor, com.power.doctor.mnb, over 500,000 downloads
- Super cleancom.super.clean.zaz, over 500,000 downloads
- Completely clean -Clean Cache, org.stemp.fll.clean, 1M+ downloads
- fingertip cleanercom.fingertip.clean.cvb, over 500,000 downloads
- quick cleanerorg.qck.cle.oyo, over 1 million downloads
- Keep cleanorg.clean.sys.lunch, over 1 million downloads
- Windy cleanin.phone.clean.www, over 500,000 downloads
- carpet cleanand.crp.cln.zda, over 100,000 downloads
- Cool cleansyn.clean.cool.zbc, over 500,000 downloads
- Strong cleanin.memory.sys.clean, over 500,000 downloads
- Meteor cleanorg.ssl.wind.clean, over 100,000 downloads
Most of the affected users live in South Korea, Japan, and Brazil, but unfortunately, the adware has reached users all over the world.
.png)
The adware apps are no longer available in the Play Store. However, users who have them installed must manually remove them from the device.
System cleaners and optimizers are popular software categories despite the few benefits they offer. Cyber criminals know that a large number of users would try such solutions to extend the life of their devices and often disguise malicious apps as such.
