HiddnAd is an Android malware found in seven different applications on the Google Play store, some of which were downloaded more than 500,000 times. These apps, six QR code readers and one smart compass, act as seemingly legitimate apps that contain malicious code embedded within the standard Android programming library in the app, designed to delay malicious activity until six hours after installation. Once the malicious activity begins, pop up advertising webpages are displayed along with Android notifications containing clickable links that, if clicked, generate ad revenue for the threat actors. When one of these apps run for the first time, it contacts the command and control server controlled by the threat actors for configuration information. Each time a configuration is downloaded onto the infected device, it gives the malware a new list of URLs to open in the browser, a list of messages, icons, and links for notifications, and the time to wait before calling back to the C&C server for the next configuration update.

Technical Details

  • SohposLabs provides technical analysis of HiddnAd, here