Usually, Google’s official Play Store is the safest source for Android apps but as evidenced by the recent massive Judy malware campaign, unscrupulous developers sometimes find ways to smuggle malware through official apps and circumvent Google’s screening process.
Two Google Play apps that appear to be innocent games were discovered to be hiding pesky malware and you should delete them immediately.
Researchers from SophosLabs revealed that the two apps, Star Play and Candy Link, can switch on your Android’s Wi-Fi without your consent then flood your home screen with spam. The two apps combine for about 50,000 downloads and they have been available on the Google Play app store since March 2017.
These two apps are hiding ad-generating malware dubbed by SophosLabs as Andr/Axent-EH. This family of malware is capable of dropping a malicious payload, turn on Wi-Fi on your device if it’s off, connect to malicious websites and load spam messages and ads on your phone’s home screen.
Star Hop is a run-of-the-mill color bubble matching game. It currently holds a questionable four-star rating from 19 user reviews but the typos and grammatical errors on the app description should be enough to raise red flags. It appears to be from a Chinese developer.
One reviewer complained that it is “plagued by ads that look very dodgy and hard to get out of.”
Candy Link is another object matching game with generic mechanics. It claims to be a great way to improve your memory, concentration and cognitive skills. It currently holds a sketchy five-star rating from two user reviews we suspect to be fake so don’t be fooled. Similar to Star Hop, it appears to be from a Chinese developer.
According to SophosLabs, once installed and granted permissions, the hidden malware then drops a Wi-Fi controlling payload called decbiee.jar from the device’s “assets” folder. It then connects to a malicious website wi7cb.com then proceeds to download and display spam messages and ads on the target phone’s home screen.
Here are examples of the spam messages (images from SophosLabs):
What you need to do immediately
If you or anyone you know has downloaded “Star Hop” or “Candy Link,” you need to delete the app from your gadget. However, if you gave the app certain permissions, you need to revoke those permissions first.
To revoke permissions to apps, visit your Google account settings page. From there, click on “Connected apps & sites” under “Sign-in & Security.” On the next page, click “Manage Apps” and you will see a list of your connected apps and their access level. Just click on all affected apps and select “Remove.”
Once you have revoked permissions from the affected apps, it’s safe to delete the apps from your gadget. They will no longer be clicking ads in the background and your device will be good to go.
You also need to make sure your gadget has strong malware protection to prevent further infections.