Android Adware reappears on third party after being taken down from the Google play store


SonicWall Capture Labs Threat Research team has been observing Android adware that were available on the Google play store, they are now removed from the play store but are still being distributed via third-party platforms. Hidden Adware continuously shows advertisements, some of which contain download links and lead to false clicks, and users end up with unwanted applications.

Fig1:Application removed from  Google Play Store


Fig2: Malicious applications available on third-party store


Infection Cycle:

After installation, the application changes its icon to a blank icon without a name, making it difficult for the user to identify which application is showing advertisements.

Fig3: Application icon change


Here <activity-alias> is used to change to a blank icon from the original icon and then launch the same application to perform Adware activities as shown in the below code snippet.

Fig4: Use of activity alias tag


After installation, multiple advertisements start showing with a long waiting time to close and this is a recurring action.

Fig5: Multiple Advertisement


This adware pretends to be protecting from harmful applications and shows a constant message in the status bar to get the benefit of doubt and remains unidentified source of advertisement.

Fig6: Message in the status bar


Similarly to persuade as an optimizer application Adware shows a notification after every new application installation.

Fig7: Pop up after new application installation


Sensitive device information(IMEI number, location etc) accessed by adware is shown in below code snippet.

Fig8: Access device information


To check the resource utilization, we tested after the device factory reset and the battery usage as compared to other applications was very high due to a huge number of advertisements.


Fig9: Battery usage


The problem caused by Adware:

  • Difficult to identify and uninstall the application.
  • Due to intensive resource usage device speed goes down and applications start crashing.
  • The battery starts draining quickly.
  • Leads to high internet usage.


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):





Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.