Millions of Downloads: Adware Campaign "GhostAd" in Google Play Store

IT security researchers from Check Point have stumbled upon an adware campaign in the Google Play Store. The associated apps – the IT security company speaks of a total of over 15 pieces – were sometimes listed very high in the Google Play Store and together amassed over a million downloads.

The apps were disguised as cleanup or emoji apps, explains Check Point in an analysis. They strain the smartphone battery and the data volume of the mobile contract: "After installation, they started persistent advertising loops in the background that could not be stopped and continued even after restarting the device." The smartphones of those affected – primarily private users – were thus turned into advertising farms by the perpetrators. In some cases, apps were downloaded millions of times; one app, "GenMoji Studio," even reached second place among free apps in Google Play.

Although the target group is primarily in East and Southeast Asia, where three-quarters of those affected live, installations were also recorded in Europe, Africa, and Israel. According to Check Point, there doesn't seem to be a targeted campaign tailored to a specific audience behind "GhostAd"; rather, the malicious actors relied on general interest in the apps' functionalities. At their peak, at least 15 apps were available on Google Play.

Adware apps available for a long time

When the investigations started, there were still five. Despite their reach, the apps remained available on Google Play since the beginning of October, where new downloads continued to occur. After a short time, users left descriptions of problems in the app reviews, such as constantly popping-up ads, disappearing app icons when trying to uninstall, and devices becoming slower and less responsive.

After the Check Point analysts informed Google about the identified apps, the company stated that they had removed them – some before the notification, others afterward. Google Play Protect also cleans the identified apps from smartphones, regardless of their download source.

Aggressive behaviors

GhostAd installs itself as a foreground service, thereby achieving persistent execution. Although it displays a non-removable notification, it remains simply empty and only shows the app name. A task scheduler also triggers the loading of ads every few seconds. Even if Android terminates the service, it restarts almost immediately. GhostAd integrates several legitimate advertising software development kits but uses them in a way that violates fair use policies. Instead of waiting for user interaction, the apps continuously load, queue, and refresh more ads in the background.

User reports therefore also contain corresponding comments. Check Point quotes some, such as "It takes over your smartphone like a virus," "This is the worst app I've ever used – it invades my privacy and takes over other apps for ads," "Don't install this app! It blocks you so you can't use your smartphone, with annoying pop-ups every ten seconds," and "WORST APP EVER. It disappears when you try to uninstall it while dumping tons and tons of ads onto your smartphone."

Even though the GhostAd campaign does not steal data or exhibit classic malware behavior, it is extremely disruptive. By silently using system resources for ad delivery, it causes performance and usability problems for those affected. It drains the battery, is deceptive regarding hidden icons and empty notifications, and thus makes removal difficult. Finally, Check Point lists five hash values as Indicators of Compromise (IOCs), but not the app names, which would make searching easier.

At the end of August, IT security researchers discover 77 malware apps in the Google Play Store were discovered. They accumulated approximately 19 million installations.

(dmk)