![Apple C1 vs Qualcomm Modem Performance [Speedtest]](https://www.iclarified.com/images/news/96767/96767/96767-640.jpg)
![Apple Studio Display On Sale for $1249 [Lowest Price Ever]](https://www.iclarified.com/images/news/96770/96770/96770-640.jpg)
![[Fixed] Chromecast (2nd gen) and Audio can’t Cast in ‘Untrusted’ outage](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2019/08/chromecast_audio_1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
-xl-xl.jpg){kind=icon}
![[The AI Show Episode 139]: The Government Knows AGI Is Coming, Superintelligence Strategy, OpenAI’s $20,000 Per Month Agents & Top 100 Gen AI Apps](https://www.marketingaiinstitute.com/hubfs/ep%20139%20cover-2.png)
![[The AI Show Episode 138]: Introducing GPT-4.5, Claude 3.7 Sonnet, Alexa+, Deep Research Now in ChatGPT Plus & How AI Is Disrupting Writing](https://www.marketingaiinstitute.com/hubfs/ep%20138%20cover.png)
![Is XMPP a good option for a messaging system in an app? [closed]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
331 Malicious Apps with 60 Million Downloads on Google Play Bypass Android 13 Security
Security researchers from Bitdefender have uncovered a large-scale ad fraud campaign involving 331 malicious apps on the Google Play Store. These apps, which have accumulated over 60 million downloads, exploit vulnerabilities in Android 13 to bypass security restrictions and carry out phishing attacks, ad fraud, and credential theft. The campaign demonstrates an alarming level of […] The post 331 Malicious Apps with 60 Million Downloads on Google Play Bypass Android 13 Security appeared first on Cyber Security News.
Security researchers from Bitdefender have uncovered a large-scale ad fraud campaign involving 331 malicious apps on the Google Play Store.
These apps, which have accumulated over 60 million downloads, exploit vulnerabilities in Android 13 to bypass security restrictions and carry out phishing attacks, ad fraud, and credential theft.
The campaign demonstrates an alarming level of sophistication. Attackers have managed to bypass Android’s restrictions on launching activities without user interaction and hiding app icons from the launcher, a feature prohibited in newer Android versions.
These apps mimic utility applications like QR scanners, expense trackers, health apps, and wallpaper tools, making them appear harmless to unsuspecting users.
Once installed, these apps display intrusive full-screen ads even when not actively running in the foreground. Worse, some apps attempt to collect sensitive user information, including credentials for online services and credit card details, through phishing attempts.
This behavior is achieved without requiring permissions traditionally associated with such actions, indicating advanced technical manipulation of Android APIs.
Technique Followed to Evade Detection
The malicious apps employ several techniques to evade detection:
- Icon Hiding: Attackers use mechanisms like disabling launcher activities or leveraging APIs designed for Android TV (LEANBACK_LAUNCHER) to hide app icons from users.
- Activity Launching: By abusing APIs such as
DisplayManager.createVirtualDisplayandPresentation.show(), the malware starts activities without permissions. This enables phishing attacks via fullscreen prompts that mimic legitimate services like Facebook or YouTube. - Persistence Mechanisms: The apps utilize dummy broadcast receivers and foreground services to maintain their presence on devices. Even on newer Android versions where foreground services are restricted, attackers circumvent this limitation using native code.
Most of these malicious applications became active on Google Play during Q3 of 2024. Initially, benign versions of these apps were later updated with malware components starting in early Q3, BitDefender said.
The campaign remains active, with the latest batch of malware uploaded to the Play Store as recently as March 4, 2025. At the time of Bitdefender’s investigation, 15 of these apps were still available for download.
The scale of this campaign is unprecedented. While the exact geographical distribution is unclear, the sheer number of downloads indicates a widespread impact across multiple regions.
The attackers appear to be either a single entity or a group using the same packaging tools purchased from black markets.
To evade detection by security systems and researchers, the malware employs advanced obfuscation methods:
- String obfuscation using XOR encoding.
- Polymorphic encryption techniques combining AES and Base64.
- Runtime checks to detect emulated environments or debugging attempts.
- Use of native libraries obfuscated with tools like Armariris.
Implications for Users
This discovery highlights critical vulnerabilities in Android’s security framework and underscores the need for robust third-party security solutions. Google has proactively purged malicious apps from its platform, but attackers continue adapting their methods.
Bitdefender recommends users avoid relying solely on default protections provided by Android and Google Play Store.
With attackers exploiting loopholes in Android systems and employing sophisticated evasion techniques, users must remain vigilant when downloading apps even from trusted platforms like Google Play Store.
As this campaign unfolds, it serves as a wake-up call for both users and developers to prioritize mobile security measures to combat increasingly complex threats.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post 331 Malicious Apps with 60 Million Downloads on Google Play Bypass Android 13 Security appeared first on Cyber Security News.
