Millions of Android users may have fallen victim to a new adware campaign concealed in seemingly harmless applications from Google Play. Researchers at Check Point Research uncovered an operation known as GhostAd, built on a network of at least 15 apps that had collectively been downloaded millions of times — one of them even reached 2nd place in the “Top Free Tools” ranking. The highest number of victims was recorded in the Philippines, Pakistan, and Malaysia, but infections were also observed in Europe and Africa. It is yet another warning sign for users of the world’s most popular mobile operating system.
According to Check Point’s analysis, the apps created for the GhostAd operation registered themselves as a foreground service immediately upon launch — a process that continues running even after the app is closed or the phone is restarted. In line with Android’s requirements, this service was supposed to display a notification indicating that it was running in the background. However, the GhostAd developers crafted an empty, nearly invisible message that users could not remove. During this time, an uninterrupted stream of ads was displayed.
To strengthen the adware’s persistence, the attackers used the JobScheduler component, which activated tasks responsible for loading ads every few seconds. This allowed the adware to “heal itself” whenever Android attempted to stop the process. As a result, ads were loaded and refreshed continuously — every few seconds — without any interaction from the user. This led to device overheating, rapid battery drain, and unnecessary consumption of mobile data, even when the phone’s screen was off.
Interestingly, in Google Play reviews, users complained about aggressive pop-ups, the disappearance of the app’s icon from the home screen, and difficulties uninstalling the program. Many described GhostAd as “a virus that takes over the phone.”
Potential Data Risks
GhostAd integrated several legitimate software development kits (SDKs) used for creating advertising software, including Pangle, Vungle, MBridge, AppLovin, and BIGO. However, it used them in ways that violated permissible usage policies. What’s more, Check Point researchers emphasize that when given the appropriate permissions, such code doesn’t need classic “exploits” to become a real threat to user data. An app with constant internet access and permission to read/write shared storage can scan directories containing documents, logs, screenshots, and backups — including those originating from corporate systems — and transmit them to the attacker’s server without the user’s knowledge.
In practice, this means that an employee’s personal phone can become a long-term channel for data leakage. This is particularly troubling in a world where smartphones are routinely used for corporate email, CRM systems, communication tools, and remote-work applications.
Source: ceo.com.pl
