{"id":98834,"date":"2020-03-03T21:01:08","date_gmt":"2020-03-04T05:01:08","guid":{"rendered":"\/blogs\/?p=98834"},"modified":"2024-06-25T02:27:46","modified_gmt":"2024-06-25T09:27:46","slug":"multi-tricks-hiddenads-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/","title":{"rendered":"Multi-tricks HiddenAds Malware"},"content":{"rendered":"<h2>Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps<\/h2>\n<p>The McAfee mobile research team has recently discovered a new variant of the HiddenAds Trojan. HiddenAds Trojan is an adware app used to display advertising and collect user data for marketing. The goal of such apps is to generate revenue by redirecting users to advertisements. There are usually two way to make money with adware; the display of advertising to a user&#8217;s computer and a per-click payment made if a user clicks on the ad.<\/p>\n<p>Although it can be used for spreading and displaying advertising in an affiliate marketing program, adware can also be used to spread malware in an affiliate fraud program. Most adware programs will abuse a legitimate application to trick the user and increase the number of installations. In our analysis we focus on two fake versions of popular Android apps:<\/p>\n<ul>\n<li>FaceApp: an app used to modify photos with machine learning.<\/li>\n<li>Call of Duty: a famous game adapted for Android.<\/li>\n<\/ul>\n<p>We notice that these applications are very popular and are usually downloaded by young people. Additionally, both apps are using the in app-purchase business model. These two elements are interesting because they increase the chance that people will search for free versions and have potentially low concerns regarding security. We also noticed several other HiddenAds variants masquerading as genuine apps, such as Spotify or other well-known games.<\/p>\n<p>Globally, we observed more than 30,000 samples related to this HiddenAds campaign.<\/p>\n<p><a href=\"https:\/\/www.virustotal.com\/graph\/g05e894f94d9b40ab9651e0b353a66b8b4eb54e6dc8884fc2b52b86e205bc8fcc\">https:\/\/www.virustotal.com\/graph\/g05e894f94d9b40ab9651e0b353a66b8b4eb54e6dc8884fc2b52b86e205bc8fcc<\/a><\/p>\n<p style=\"text-align: center;\">Figure 1. Multi-tricks HiddenAds campaign<\/p>\n<p>Analyzed samples are not available on the Google Play Store; the delivery of the latest variants is mostly from untrusted parts of the internet that propose APK file downloads. YouTube channels have also been spotted with malicious links to download the fake apps.<\/p>\n<p>These variants of HiddenAds use some other interesting technologies to trick users and thwart the analysis of malware researchers. In this blogpost, we will deep dive into the analysis of a fake FaceApp application.<\/p>\n<h2>Distribution Channel<\/h2>\n<p>These malware samples masquerade as popular applications so, when a user wants to find the apps from an unknown source, they could be infected by malware. For example, \u201cCall of Duty\u201d is a popular game, with many people searching for the mobile version online. If they are unfortunate, they may find the result shown below:<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 2. Distribution channel<\/p>\n<p>In the video, the author provides download links. If we click the link to download the file, we receive \u201cCall of Duty_1.0.4.apk\u201d (as seen in Table 1). If we install this sample on our devices, we will be infected by this malware. Additionally, we spotted this malware on other untrusted sources.<\/p>\n<h2>Trick Techniques<\/h2>\n<ol>\n<li>Application name trick.<\/li>\n<\/ol>\n<p>As a user, we recognize an app by its name and icon. As a researcher, the package name is an identification of an application. This variant uses popular application names, icons and package names on the Google Play store, to trick users into thinking they are genuine applications.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Table 1: Basic Information of some threat samples.<\/p>\n<p>We search for the application name on Google Play and click the search result to view its details.<\/p>\n<p style=\"text-align: center;\">Figure 3. FaceApp information on Google Play.<\/p>\n<p>This is a very popular application with in-app purchases. If victims want to find a free cracked version from alternative sources, they may end up with our analysis sample. The application name, icon and version number of the Google Play app and the fake app are very similar. The file size, however, is very different so we should keep that very firmly in mind.<\/p>\n<ol start=\"2\">\n<li>Icon trick.<\/li>\n<\/ol>\n<p>Normally, users expect the icons seen before and after installation to be the same. In this sample, they are different. The sample defines two icons in the AndroidManifest.xml file; the label of activity is \u201cSettings\u201d.<\/p>\n<p style=\"text-align: center;\">Figure 4.1. Two icons are defined in AndroidManifest.xml<\/p>\n<p>Before we install the sample, we see it in File Explorer, showing the first icon (tv_icon.png). At the system installation view, we see the first icon too. Once we click the \u201cDone\u201d button, the sample is installed onto the device and the system shows the second icon (but_invertc.png).<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Figure 4.2. Icons before\/during\/after installation<\/p>\n<p>This is the icon trick. Users are surprised after they install the sample as they cannot find the expected icon on their devices; they maybe think something went wrong during installation and the application failed to install. In reality, the application has already been installed; it is next to the system \u201cSettings\u201d application icon. When a user goes to launch the system \u201cSettings\u201d application, they have the possibility to click the fake icon instead, launching the malicious application.<\/p>\n<ol start=\"3\">\n<li>Launcher trick.<\/li>\n<\/ol>\n<p>Once a victim clicks the fake \u201cSettings\u201d icon, the malicious app launches, as does the next stage of the trick.<\/p>\n<p style=\"text-align: center;\">Figure 5. Hidden icon after clicking \u201cok\u201d button<\/p>\n<p>The sample shows this alert dialog immediately; it does not perform country available checking. This is a deceptive message, to make victims believe that the icon is hidden because \u201cApplication is unavailable in your country\u201d. In fact, the application is still running in the background. It is not unavailable in a given country, it is just unavailable for victims.<\/p>\n<h2>Obfuscation Technique<\/h2>\n<p>Above are the ways the app is used to defraud victims. Now, we look at the anti-analysis techniques of this sample. At the start of the application, it invokes a function MultiDex.install. MultiDex is a popular and valid Android module which is used to support multi DEX files. When we investigate this function, we are curious why a popular Android module invokes a function in a specific application module.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 6. The malicious code in the \u201cMultiDex.install\u201d function<\/p>\n<p>The question prompts us to do more analysis. Finally, we find that this is the malicious code entrance. It mainly does 2 things here:<\/p>\n<ul>\n<li>Decrypt so library<br \/>\nThe decrypted function is very obfuscated, not only obfuscating the variable name such that it makes no sense, but also splitting a simple function into lots of sub-functions, each of which inserts lots of nonsense code, designed to thwart analysis.<\/li>\n<li>Fortunately, we can understand the code and get the decryption process.<\/li>\n<\/ul>\n<p style=\"text-align: center;\">Figure 7.1. Splits into lots of sub-functions<\/p>\n<p style=\"text-align: center;\">Figure 7.2. One sub-function, lots of code is nonsense<\/p>\n<p>Reading data from resource\/string.xml file according to CPU type (Figure 8.2):<\/p>\n<ul>\n<li>If CPU is arm64, read x1 value.<\/li>\n<li>If CPU is armeabi, read x0 value.<\/li>\n<li>Other CPUs are not supported.<\/li>\n<\/ul>\n<p style=\"text-align: center;\">Figure 8.1. Read data from resource string.xml file<\/p>\n<p>The data has 2 parts, the first part is the header of the ELF file, the second part is an index of array.<\/p>\n<ul>\n<li>From the index (\u201ca58ax\u201d) in the last step, we find base64 encoding data from the arrays.xml file.<\/li>\n<li>Use base64 and XOR operation to decode the array and generate native code library.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 8.2. Base64 encoding data in the file resources.arsc\/res\/values\/arrays.xml<\/p>\n<p>\u00a03) Load so library to extract the DEX payload and, finally, the malicious code invokes system.load to load the so library and calls a native function.<\/p>\n<p style=\"text-align: center;\">Figure 9. Load so library and call a native function<\/p>\n<p>In the native function, it will extract and decrypt the file assets\/geocalc_lite.dat and restore the DEX payload to path \/data\/data\/de.fastnc.android.geocalc_lite\/app_app_apk\/geocalc_lite.dat.jar.<\/p>\n<h2>DEX Payload Analysis<\/h2>\n<p>The DEX Payload is used for showing advertisements. The advertisement data comes from the server. Once the payload gets the data, it will show it on the device. From the code analysis, we see there are dozens of advertisement types (Figure 12.2). The payload, which is very complex, will load and show the data in different ways for each type.<\/p>\n<ul>\n<li>Default Setting Parameters<br \/>\nThe DEX payload defines a base64 encoding string in code; we get lots of default setting parameters after decoding it:<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 10.1. Default setting parameters (Encoding)<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 10.2. Default setting parameters (Decoding)<\/p>\n<p>This is a json object; it is very complex and below is the usage of some parameters:<\/p>\n<ul>\n<li>metricsApiKey: The API Key of Yandex Metrica\u00a0SDK.<\/li>\n<li>installFrequencySeconds : This is used to control the frequency of \u2018install\u2019 request. The value decides the minimum time interval of sending \u2018install\u2019 requests (see the Request &amp; Response section) which, in this instance, is 1000 seconds(16 minutes 40 seconds). The install request can only be triggered by the application launcher. However many times we restart the application, it only sends one request in 1000 seconds.<\/li>\n<li>overappStartDelaySeconds : This is designed to control the delay of http requests. It is intended to execute malicious payloads after 30000 seconds (5 hours 20 minutes) from the first launch. But in the current version, this value is the same as &#8216;installFrequencySeconds&#8217; and is used to control install frequency. The smaller value of &#8216;overappStartDelaySeconds&#8217; and &#8216;installFrequencySeconds&#8217; is used as the minimum time interval of sending install requests.<\/li>\n<li>bundles_*(b,c,l,n): It looks like these are used for determining whether to show advertisements in these packages or not.<\/li>\n<\/ul>\n<p>The parameter \u201cdomains\u201d is an important one; it defines the remote server candidate list. Payload selects a random one as the remote server; if the selected one is unavailable, it will switch to the next one.<\/p>\n<h3>Request &amp; Response<\/h3>\n<p>There are 3 types of requests in the payload, with different requests having different trigger conditions. We can only capture 2 types of requests:<\/p>\n<p style=\"text-align: center;\">Figure 11.1. Request &amp; response capture<\/p>\n<ol>\n<li>\u2018install\u2019 Request<br \/>\nDuring application launch, if the trigger conditions are satisfied, the payload will send an \u2018install\u2019 request to the remote server. This request has a file named \u201ctype\u201d whose value is \u201cinstall\u201d.<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 11.2. Install request<\/p>\n<p>The client filed is a json object too; it contains the versionName and sdkEdition information, both of which show that this payload is very new.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 11.3\u00a0 VersionName and sdkEdition definition<\/p>\n<p>The responses from the remote server are often an empty json which increases the difficulty of our analysis. We continued testing for a few days and captured a non-empty response.<\/p>\n<p style=\"text-align: center;\">Figure 11.4. Response data<\/p>\n<p>The remote server settings cover the default settings:<\/p>\n<ul>\n<li>Enabled: Advertisement enabled flag, including below \u2018b\/request\u2019 request. The default is False, and True is set from a remote server response.\n<ul>\n<li>7 new domains in response: &#8216;http:\/\/hurgadont.com&#8217;, &#8216;http:\/\/asfintom.com&#8217;, &#8216;http:\/\/eklampa.com&#8217;, &#8216;http:\/\/glanmoran.com&#8217;, &#8216;http:\/\/cantomus.com&#8217;, &#8216;http:\/\/fumirol.com&#8217; and &#8216;http:\/\/bartingor.com&#8217;<\/li>\n<li>7 default domains: &#8220;http:\/\/minasorp.com&#8221;,&#8221;http:\/\/omatist.com&#8221;,&#8221;http:\/\/retinba.com&#8221;,&#8221;http:\/\/baradont.com&#8221;,&#8221;http:\/\/lindostan.com&#8221;, &#8220;http:\/\/avgon.net&#8221; and &#8220;http:\/\/dorontalka.com&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>There are 7 new servers and 7 default servers, a total 14 servers, and we can ping all of them; they are alive.<\/p>\n<p>2. \u2018b\/request\u2019 request<\/p>\n<p>This is a core request. There is a field named \u2018type\u2019 and its value is \u2018b\/request\u2019 in this request.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 12.1\u00a0 \u00a0b\/request request<\/p>\n<p>The library registers lots of event filters\/observers and, when these events happen, the trigger conditions are satisfied, causing the library to send appropriate requests to the remote server.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Table 2: Event monitoring<\/p>\n<p>Banner Type is used to identify the banner and Spot is used to identify the spotting of events.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 12.2. Banner Type &amp; Spot Type<\/p>\n<p>\u00a0The response data is as below. It has 3 main functionalities:<\/p>\n<ul>\n<li>&#8216;sdkUpdate&#8217; data: Used to load updated versions of the SDK file.<\/li>\n<li>&#8216;banners&#8217; data: Used to show banner advertisements.<\/li>\n<li>&#8216;mediatorSDKs&#8217; data: Used to post mediatorSDKs requests on victims\u2019 devices.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 12.3. \u2018b\/request\u2019 Response<\/p>\n<ul>\n<li>Banner data<\/li>\n<\/ul>\n<p>We mentioned that we captured a response of \u2018b\/request\u2019 in Figure 11.1. The response contains one banner data, the fields of banner data are as below after decoding.<\/p>\n<p style=\"text-align: center;\">Figure 12.4. Banner data and \u2018html\u2019 field content<\/p>\n<p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u2018html\u2019 is the most important field &#8211; payload content is loaded in a WebView by invoking the loadDataWithBaseURL API. According to the html, WebView will load the page from the first URL, hxxp:\/\/bestadbid.com\/afu.php?zoneid=1558701. This is a redirect URL that will redirect to different URLs each time we open it. \u00a0In our test, it redirects to a gambling website.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 12.5. Redirect to a gambling website<\/p>\n<ul>\n<li>mediatorSdks data: mediatorSdks data is a json array. Each item definition is as below. We cannot capture this type of data from the remote server as we do not know the real value of each field. According to our analysis, \u201ctracking\u201d is a URL list. Each URL will be executed on the device and the executed result sent to the remote server.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 12.6. mediatorSdks item definition<\/p>\n<p>3) Mediator Stat requests: After the Tracking URL executes, it will execute \/sdk\/stat\/mediator_* requests to the remote server which just reports the execute results. There are 4 types of mediator requests, one is for reporting failure status, the other 3 types are for reporting success status. There are 3 types of success status; we guess that there are 3 types of Tracking URL in mediatorSdks data (Figure 12.6). Each type of Tracking URL uses each mediator stat request to report status.<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\">Figure 12.7. 4 types of mediator stat request<\/p>\n<h2>Conclusion<\/h2>\n<p>This is a traditional Hidden Icon Ads malware; it hides the application\u2019s icon first, then shows advertisements from the DEX payload. But it applies lots of technology to implement its purpose, to trick users into believing it is a normal application, to stymie the detection of security tools. The DEX payload is a very complex SDK &#8211; more than 14 candidates of remote servers are found, lots of event monitoring and remote trigger control, all of which mean this is a well-designed malware. Once victims are infected with this malware they are unlikely to realize it and, even if they do, they may not be able to locate and remove it.<\/p>\n<p>McAfee Mobile Security detects this threat as Android\/HiddenAds. To protect yourselves from this and similar threats, employ the McAfee Mobile Security application on your mobile devices and do not install apps from unknown sources.<\/p>\n<p>For more information about McAfee Mobile Security, visit\u00a0<a href=\"https:\/\/www.mcafeemobilesecurity.com\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/www.mcafeemobilesecurity.com<\/a>.<\/p>\n<h2>Hashes<\/h2>\n<p>bc6f9c6d9beecd6f1353953ef6d883c51739ecec7e5b55e15319fe0d0b124a6d<\/p>\n<p>7c40fabb70556d7d294957ec0fa1215a014a33f262710a793dd927100b183454<\/p>\n<p>12be1c7ffdcf1b1917b71afa4b65a84b126ab0f0fbf6dc13390a32e6a8b84048<\/p>\n<p>ed47a5871132c22bf4b7888908f35cacc2cd0c2a6e8e0afffea61d0e14792ea4<\/p>\n<p>8c5826441a7000f957ece60a3e5294732f9a430d4bec0113bb13b99c73fba47c<\/p>\n<p>04e6493d3cb0b92bebb450f37b21f9176fe266c662f65919baf7d62297<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps The McAfee mobile research team has recently discovered a new&#8230;<\/p>\n","protected":false},"author":827,"featured_media":98530,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4662],"class_list":["post-98834","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Multi-tricks HiddenAds Malware | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps The McAfee mobile research team has recently discovered a new variant of the HiddenAds\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Multi-tricks HiddenAds Malware | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps The McAfee mobile research team has recently discovered a new variant of the HiddenAds\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2020-03-04T05:01:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-25T09:27:46+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/02\/iStock-954683756-min-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ZePeng Chen\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ZePeng Chen\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/\"},\"author\":{\"name\":\"ZePeng Chen\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/6fb75b3dd9ea3d7dedda48880fd147f5\"},\"headline\":\"Multi-tricks HiddenAds Malware\",\"datePublished\":\"2020-03-04T05:01:08+00:00\",\"dateModified\":\"2024-06-25T09:27:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/\"},\"wordCount\":2408,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/02\/iStock-954683756-min-1.jpg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/\",\"name\":\"Multi-tricks HiddenAds Malware | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/02\/iStock-954683756-min-1.jpg\",\"datePublished\":\"2020-03-04T05:01:08+00:00\",\"dateModified\":\"2024-06-25T09:27:46+00:00\",\"description\":\"Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps The McAfee mobile research team has recently discovered a new variant of the HiddenAds\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/02\/iStock-954683756-min-1.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/02\/iStock-954683756-min-1.jpg\",\"width\":1920,\"height\":1280},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Multi-tricks HiddenAds Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/6fb75b3dd9ea3d7dedda48880fd147f5\",\"name\":\"ZePeng Chen\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/3e265358d4380d543654e7189dfa995d\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e23a4d49ff1d3565d31a01e3a8ccf0be?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e23a4d49ff1d3565d31a01e3a8ccf0be?s=96&d=mm&r=g\",\"caption\":\"ZePeng Chen\"},\"description\":\"Peng is a security researcher and a member of the McAfee Mobile Research and Operations team. He is based in Shenzhen, China, and specializes in mobile malware analysis, reverse engineering, and detections.\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/jason-chen\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Multi-tricks HiddenAds Malware | McAfee Blog","description":"Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps The McAfee mobile research team has recently discovered a new variant of the HiddenAds","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Multi-tricks HiddenAds Malware | McAfee Blog","og_description":"Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps The McAfee mobile research team has recently discovered a new variant of the HiddenAds","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2020-03-04T05:01:08+00:00","article_modified_time":"2024-06-25T09:27:46+00:00","og_image":[{"width":1920,"height":1280,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/02\/iStock-954683756-min-1.jpg","type":"image\/jpeg"}],"author":"ZePeng Chen","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"ZePeng Chen","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/"},"author":{"name":"ZePeng Chen","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/6fb75b3dd9ea3d7dedda48880fd147f5"},"headline":"Multi-tricks HiddenAds Malware","datePublished":"2020-03-04T05:01:08+00:00","dateModified":"2024-06-25T09:27:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/"},"wordCount":2408,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/02\/iStock-954683756-min-1.jpg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/","name":"Multi-tricks HiddenAds Malware | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/02\/iStock-954683756-min-1.jpg","datePublished":"2020-03-04T05:01:08+00:00","dateModified":"2024-06-25T09:27:46+00:00","description":"Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps The McAfee mobile research team has recently discovered a new variant of the HiddenAds","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/02\/iStock-954683756-min-1.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/02\/iStock-954683756-min-1.jpg","width":1920,"height":1280},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/multi-tricks-hiddenads-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Multi-tricks HiddenAds Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/6fb75b3dd9ea3d7dedda48880fd147f5","name":"ZePeng Chen","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/3e265358d4380d543654e7189dfa995d","url":"https:\/\/secure.gravatar.com\/avatar\/e23a4d49ff1d3565d31a01e3a8ccf0be?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e23a4d49ff1d3565d31a01e3a8ccf0be?s=96&d=mm&r=g","caption":"ZePeng Chen"},"description":"Peng is a security researcher and a member of the McAfee Mobile Research and Operations team. He is based in Shenzhen, China, and specializes in mobile malware analysis, reverse engineering, and detections.","url":"https:\/\/www.mcafee.com\/blogs\/author\/jason-chen\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/98834","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/827"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=98834"}],"version-history":[{"count":4,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/98834\/revisions"}],"predecessor-version":[{"id":195271,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/98834\/revisions\/195271"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/98530"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=98834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=98834"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=98834"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=98834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}