HiddenAd or HiddAd are icon-hiding adware applications. The prime motive of HiddAd is to generate revenue through aggressive advertisements. As long as HiddAd remains on the device, it will generate revenue for the malware author. To make uninstalling difficult, malware authors hide the application’s icon from the application drawer. They also use different deceptive techniques to make uninstallation less intuitive to the users.
HiddAd is not a new thing for the Google Play Store. We have seen many such malware applications on the Google Play Store in the last 3-4 years.
2019 is known as the year of HiddAds, as many such applications were reported in that year.
We observed similar cases in the year 2020 related to the HiddAd applications. In Feb 2021, the updated version of the Barcode scanner application with 10 million downloads was found to be HiddAd.
Quick heal researchers also contributed to this HiddAds by reporting and removing several HiddAds from Google Play Store.
Recently we found 14 such applications on Google Play Store. The download count of all these applications is more than 6 million. These applications are HiddAd malware and execute themselves without user interaction. We have denoted them by naming them “Autolauncher HiddAds.” Fig.1 shows icons of malicious applications.
Fig.1 Application icon
Now let’s have a look into one of these applications.
Application Name: Windy Clean
As soon as we installed the application, it immediately started its activity. We didn’t have to take any action as we did not even click on its icon to run the application. It hides its icon from the application drawer and starts displaying overlapping pop-up advertisements. Fig. 2 shows pop ads shown by malicious applications.
Fig.2 Malware application showing ads
In the background, as soon as the installation is completed application requests the advertising server. It sends information about OS, phone, etc. In response, it gets encrypted info about the advertisement.
Fig.3 Malware makes this request as it is installed
This application uses a broadcast receiver to execute the code on various system broadcasts: –
Fig. 4 Broadcast Receiver’s intent filter
These applications show aggressive ads overlapping other applications, which can be very annoying for the users who install them. Some users have expressed their anger by writing bad reviews about the application.
Fig.5 Users expressing their anger
As illustrated in the following table, all these applications are reported from the Tools category. They claim to provide free android cleanup and enhancement programs, phone acceleration, CPU cooling, garbage cleaner, battery saver, virus scanning, etc. They use these claims to reach out to more users and increase the download count. Each application is published from a different developer account, but all of them have a similar code structure and malicious behavior. Most of these applications were recently released on Google Play Store.
Fig. 6 Application information
Quick Heal Security Labs detects these apps with variants of Android.Hiddad:-
The above-mentioned malware applications behave differently than the other malware we reported earlier. Automatically launching applications without user interaction is a dangerous weapon that can be misused to harm the user’s device and data. We may see more malware applications using such techniques in the future. Quick Heal’s Security Lab continuously checks applications from Google Play Store for such malware.
The application ensures to bombard you with pop-up advertisements. If you have the Hiddad adware on your devices, we recommend you to remove it immediately.