The Google Play adware apps that just won’t die

Thanks to Rowland Yu of SophosLabs for his behind-the-scenes work on this article.

Several popular Android apps in Google Play are rigged with a third-party library that continuously pops up ads even if the user tries to force close them.

SophosLabs discovered the library earlier this week and detects it as App/MarsDae-A. So far, more than 40 apps on Google Play use the library, which has been downloaded up to 6 million times. Sophos protects its customers from these apps.

The library supports Android 2.3 through Android 6, along with Samsung, Huawei, Meizu, Mi and Nexus devices. Its primary function is to keep the adware alive even if the user attempts a force close or memory scrub.

SophosLabs found a total of 47 apps in Googe Play that include the MarsDae library. Google Play has removed some of them, but many remain. Here is the list of package names:

What happens

In the example below, we see the library used in an app called “Snap Pic Collage Color Splash.” The app has been downloaded from Google Play more than 50,000 times.

Once the app is installed, it will pop up ads on the user’s home screen like this:

Even if you force stop the app from system settings, the ads will resume after few seconds.

How it works

Once dropped on an Android 5 and 6, the library repeats a series of steps to keep the ads running.

  1. It runs code that kicks off a number of processes.
  2. It creates a file, then locks it.
  3. Each process creates another file. For example, Process A creates a2 and repeatedly checks if Process B has created file b2, and vice versa.
  4. If Process A finds file b2, it means Process B has started and locked file b1. Process A can delete file b2. Process B will do the same thing for file a2.
  5. Process A keeps monitoring the lock status of file b1 while Process B monitors file a1. If any file is unlocked, it means the related process is dead. Then anther process can restart it again.

As clever as the technique may be, all it does in the long run is ruin each app’s reputation on Google Play. Annoyed users have made their unhappiness known:

PUAs on Google Play

This is just the latest in a growing list of PUAs (potentially unwanted apps) SophosLabs has found on Google Play. Other recent examples include:

  • Star Hop and Candy Link, which look like a couple of harmless games but hide malware that can switch on the device’s wifi and pummel the victim with spam.
  • Android XavirAd and Andr/Infostl-BK, which collects the user’s personal information, including email address, and sends them to a remote server.
  • Super Free Music Player, which uses sophisticated techniques formerly found in BrainTest malware to bypass detection by Google and security researchers.

Defensive measures

As we mentioned above, SophosLabs has identified and protected Sophos users against this adware library.

Our advice: If you see these apps in Google Play, don’t download them. We’ll continue working with Google to get the remaining apps removed.

The continued onslaught of malicious Android apps demonstrates the need to use an Android anti-virus such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.