More than 200 Android apps are packed with adware that could compromise your phone, researchers said Wednesday.
Security researchers from Check Point found malicious code in 210 Android apps in the Google Play store that had been downloaded nearly 150 million times. The "SimBad" code is part of the new adware campaign and is hidden inside a software development kit (SDK) on these apps. Adware is a form of malware that installs itself on your device without you knowing and then displays ads.
Check Point notified Google, and Google said the apps have been removed from the Play store.
The infected apps are able to display background ads, open the browser to any page and download more malicious apps from either the Google Play store or a remote server, Check Point's researchers said. The new browser page can lead to phishing websites -- with pages that look real but are designed to trick people into revealing their login credentials. There is also code on the SDK that allowed the malicious app to delete its own icon, making it harder for victims to delete.
While these apps were fully capable of all this, the only malicious activity witnessed has been the displaying of ads, Jonathan Shimonovich, a group manager at Check Point, said in an email.
In the Google Play store, the adware SDK was hidden in hundreds of apps, the majority of which were simulator games, the researchers found. The app with the most downloads was Snow Heavy Excavator Simulator, with more than 10 million downloads. Others included Ambulance Rescue Driving, Fire Truck Emergency Driver, Speed Boat Jet Ski Racing, Hoverboard Racing, Real Tractor Farming Simulator and Car Parking Challenge, each with more than 5 million downloads.
The malware was also found in live wallpaper apps and editing tools like Girlfriend photo editor, which was downloaded more than 1 million times.
The full list of apps is available from Check Point.
Adware is a rising threat for mobile apps as attackers look to take advantage of millions of devices to make money through ad fraud. Advertisers pay a lot of money to get views, and hacker know they can generate fake views through infected devices.
In February, researchers detailed the DrainerBot ad fraud, which downloaded gigabytes of video ads that victims never saw.
The Google Play store is a frequent target for ad fraud because it's more open to developers than Apple's App Store. Android has improved its efforts to curb bad apps, noting last month that it fixed vulnerabilities in more than 75,000 apps in 2018.
Adware and malicious activity can often be hidden in the SDK, which are third-party tools used across apps. In another research paper Check Point released Wednesday, the security company said it found that an SDK hidden on 12 apps has been stealing contact information from up to 111 million devices in China.
"Before integrating SDKs into their mobile applications, developers need to be aware of potential risks of undocumented and malicious behaviors implemented in third party SDKs," Check Point said.