As per Ecular Xu, mobile threat response engineer at Trend Micro said, “We found another example of adware’s potential real-life impact on Google Play. Trend Micro detects this as AndroidOS_Hidenad.HRXH. It isn’t your run-of-the-mill adware family: Apart from displaying advertisements that are difficult to close, it employs unique techniques to evade detection through user behavior and time-based triggers.” After downloading the app every time the user unlocks the device the adware will carry out quite a lot of tests before it performs its routines. Firstly it will compare the current time of the device’s system time with the help of timestamp stored as install time. After that, it compares the network time (queried via RESTful API) with the help of timestamp stored as networkInstallTime. With this, the app will be able to verify if it has been installed on the device with the default delay time configured to 30 minutes. The blog post says, “To a certain extent, using network time can evade time-based detection techniques or triggers employed by traditional sandboxes, as the app’s time settings can be configured by simply using networkInstallTime.” After 30 minutes the app will then hide its icon and create a shortcut on the device’s home screen. This would prevent the app from being uninstalled by dragging and dropping its icon to the Uninstall section of the screen. In order to avoid this, the app brings into play Java reflection that will allow the apps to inspect or to modify the behavior of the app and encodes the API strings in base64. The app also uses one more Broadcast Receiver to detect if the user has unlocked its device. Once detected it will start displaying advertisements on the screen. Besides this it also tests the last ad shown on the screen so that it does not displays the same advertisements too often “While the apps do have actual functionalities of the applications they are posing as, these ads are shown in full screen. Users are forced to view the whole duration of the ad before being able to close it or go back to the app itself. Moreover, the frequency of ads being displayed can be remotely configured by the fraudster (the default is five minutes), so it could exacerbate the nuisance for users.” For the latest gadget and tech news, and gadget reviews, follow us on Twitter, Facebook and Instagram. For newest tech & gadget videos subscribe to our YouTube Channel. You can also stay up to date using the Gadget Bridge Android App.
