Android YouTube download apps flood devices with ads to secure high ratings for droppers

More unpleasant surprises spread via the official Google Play store.

David bisson
David Bisson

Rate app

An Android trojan floods infected devices with advertisements to provoke users into doling out high ratings for its dropper apps.

The adware, detected as Android/Hiddad.BZ, hid itself inside seven applications available for download on Google Play. One app bore the name “Tube.mate.” Another identified itself as “SnapTube”.

Apps on Play store

Sign up to our free newsletter.
Security news, advice, and tips.

All these apps, which Google has since pulled from its official Play Store, had a few things in common. First, the apps had a large number of high ratings from users. Second, they all promised they could download content from YouTube. Third, each of them resolved to “Music Mania” upon successful installation.

The icon for “Music Mania” conceals a secret: it’s a dropper that loads an ad-displaying component. The element masquerades as a system plugin that requires administrator rights. Installing the fake plugin installs the adware payload, which demands its own superuser privileges from the user while posing as yet another fake plugin.

5 576x1024

ESET malware analyst Lukas Stefanko explains what happens next:

“After granting the rights, the user is immediately shown a screen full of ads and consequently asked to rate the app with five stars “to remove all ads”. Cancelling the message will result in an even greater flood of ads shown on the user’s device, aiming to provoke the user into rating the app next time the prompt is displayed.”

You can view a video of Hiddad.BZ in action below.

Aggressive ad-displaying app tricks users into leaving high ratings on Google Play

Have you been affected by this adware?

If so, there’s not much to fear. First, uninstall Music Mania using your Application Manager. You then need to go to your device’s security settings and disable administrator rights for “plugin android.” Only then can you uninstall the payload.

If you haven’t met Hiddad.BZ, which is not the first adware to affect apps on Google Play, endeavor not to by making sure to read the reviews of each app you’re considering installing.

Ordinary users might not always make the best security decisions. But they’re usually more than willing to write a scathing review if, for instance, an app doesn’t work and demands that they rate it five stars.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.