Fake ad blocking available outside of Google Play is bombarding Android users with ads, many of them vulgar, and to make matters worse, cleverly hidden adware is difficult to uninstall.
As documented by antimalarial software provider Malwarebytes, Ads Blocker, as the app is called, uses a few tricks to bombard and permanently bombard users with ads. The first is simply to ask for usage rights to show through other applications. Next, a connection request is made to "set up a VPN connection enabling it to monitor network traffic". Finally, it requires permission to add a plugin to the homepage.
In fact, VPN connection approval – the standard requirement for some legitimate ad blockers – allows ad blockers to work in the background at all times. Combined with the permission to show other apps, the app is free to plaster ads in a variety of aggressive and annoying ways. Displays full-page ads across the screen. Delivers ads in the default browser. Includes ads in notifications. And puts ads in the home screen widget.
"This malicious software for Android is absolutely ruthless in its advertising services and frequencies," wrote Malwarebytes researcher Nathan Collier. "In fact, as I was writing this blog, it served up numerous ads on my test device with a frequency of about once every few minutes."
The content of the ads is widespread, including some, Collier wrote, which are "negligent" or even "vulgar".
Equally disturbing is the difficulty in removing the ad blocker from the device. The ad blocker has no icon. In the app settings information section for Android, there is no mention of "Ad Blockers" because the app protects the name with a white box. Concealment leaves many people struggling to uninstall the application. Another white box appears above the notification box. Pressing the dialog box prompts for permission to install even more applications.
Collier went on to describe a simple way to remove the application – by requiring a 6.57 megabyte storage size entry in the Application Information section of Android Settings. Users can then select that entry and use the uninstall button.
This method does not seem to work on Android 10, as the application info field does not display storage sizes (at least not on the device I used). An alternative method in that case might be to access Storage in Android settings and select the Applications tab. While the ad blocker name and icon will not appear, its use of 6.57MB still needs to be displayed. Users can then press the 6.57MB input, click on the screen just above the "clean storage" and "memory" icons, and choose to uninstall. People can also use the free version of Malwarebytes for Android to remove the app.
Malwarebytes researchers still do not know how the ad blocker is distributed. Data in the VirusTotal malware scanning service suggests that the application is spreading to the United States, most likely when people seek ads from a third-party app store. Forum posting on a French website and filename written in German provide evidence that the application can also be distributed in Europe.
So far, the Malwarebytes application has detected only 500 infections. After collecting more than 1,800 copies of the application, the company's researchers suspect that the total number of infections is much higher.