Adware cleaner apps promoted on Facebook sneaked into the Play Store

Several adware apps promoted aggressively on Facebook as system cleaners and optimizers for Android devices are counting millions of installations on Google Play store.

The apps lack all of the promised functionality and push advertisements while trying to last as long as possible on the device.

To evade deletion, the apps hide on the victim’s device by constantly changing icons and names, masquerading as Settings or the Play Store itself.

The adware apps abuse the Contact Provider Android component, which enables them to transfer data between the device and online services.

The subsystem is called every time a new app is installed, so the adware might be using it to initiate the ad-serving process. To the user it may look like the ads are pushed by the legitimate app they installed.

Researchers at McAfee discovered the adware apps. They note that users don’t have to launch them after installation to see the ads because the adware initiates itself automatically without any interaction.

The first action from these annoying apps is to create a permanent service for displaying the advertisements. If the process is “killed” (terminated), it re-launches immediately.

The following video shows how the name and icon of the adware changes automatically and how the ad-serving occurs without any interaction from the user.

Millions of downloads

As McAfee comments in the report, users are convinced to trust the adware apps because they see a Play Store link on Facebook, leaving little margin for doubt.

This has resulted in unusually high download numbers for the particular type of applications, as shown in the list below:

1. Junk Cleaner, cn.junk.clean.plp, 1M+ downloads
2. EasyCleaner, com.easy.clean.ipz, 100K+ downloads
3. Power Doctor, com.power.doctor.mnb, 500K+ downloads
4. Super Clean, com.super.clean.zaz, 500K+ downloads
5. Full Clean -Clean Cache, org.stemp.fll.clean, 1M+ downloads
6. Fingertip Cleaner, com.fingertip.clean.cvb, 500K+ downloads
7. Quick Cleaner, org.qck.cle.oyo, 1M+ downloads
8. Keep Clean, org.clean.sys.lunch, 1M+ downloads
9. Windy Clean, in.phone.clean.www, 500K+ downloads
10. Carpet Clean, og.crp.cln.zda, 100K+ downloads
11. Cool Clean, syn.clean.cool.zbc, 500K+ downloads
12. Strong Clean, in.memory.sys.clean, 500K+ downloads
13. Meteor Clean, org.ssl.wind.clean, 100K+ downloads

Most affected users are based in South Korea, Japan, and Brazil, but the adware has unfortunately reached users worldwide.

The adware apps are no longer available on the Play Store. However, users that installed them have to remove them manually from the device.

System cleaners and optimizers are popular software categories despite the low benefits they provide. Cybercriminals know that a large number of users would try such solutions to prolong the life of their devices and often guise malicious apps as such.

Source: https://www.bleepingcomputer.com/news/security/adware-cleaner-apps-promoted-on-facebook-sneaked-into-the-play-store/