How to remove the HiddenAds malware from your Android device
Written by Tomas Meskauskas on (updated)
What is HiddenAds?
Discovered by Dr. Web researchers, HiddenAds is a malware family targeting Android operating systems. This group comprises numerous malicious applications; most operate as adware (display ads), but some are also capable of stealthily subscribing victims to premium-rate services and stealing their social networking accounts.
At the time of research, HiddenAds apps were actively spread through the Google Play Store - with over ten million downloads to their name. This software bears various disguises, e.g., gaming, calling/messaging, system protection/cleaning, image/photo editing, virtual keyboard, wallpaper, and other applications (list of applications associated with HiddenAds can be found below).
HiddenAds malware overview
Most malicious apps that are part of the HiddenAds family have advertising-supported software (adware) functionalities. In other words, they can display advertisements on visited websites and/or other interfaces. This can seriously hinder device usage since the ads can overlay the screen (i.e., webpages, opened apps, home screen, etc.), decrease the browsing speed, and diminish system performance.
Furthermore, these adverts promote online scams, untrustworthy/harmful software, and even malware. Some intrusive ads can even perform stealthy downloads/installations upon being clicked.
Note that while adware may deliver advertisements endorsing legitimate content, it is most likely promoted by scammers abusing the affiliate programs in order to obtain illegitimate commissions.
HiddenAds applications typically require certain permissions to work as intended; these requests can entail asking the user to allow the app to show windows that overlay others or consent to the software being exempt from battery-power saving features.
Some of these malicious apps have additional/other harmful abilities. They can stealthily or through the use of deception - subscribe users to expensive services. Hence, victims can experience continuous billing on their phone bills, connected credit cards, or banking accounts.
Yet another goal of these programs can be the theft of victims' social networking and social media accounts. For example, Dr. Web analysts uncovered several applications presented as image editing tools (cartoon photo filters/effects) that target Facebook accounts.
Cyber criminals commonly seek to obtain social accounts as they can be used to ask the contacts/friends for loans or to further spread malware (by sharing malicious files/links) - under the guise of the genuine owners.
What is more, HiddenAds software can be capable of hiding its icons from the installed apps list and/or the home screen menu. Alternatively, the icons can be replaced with less conspicuous ones.
It is noteworthy that families like HiddenAds are incredibly prolific; there are close to fifty apps associated with this malware group (full list), and it is highly likely that this number will continue to increase. It is just as likely that the applications will be improved upon and acquire new harmful features.
To summarize, the presence of HiddenAds malware on devices can lead to multiple system infections, severe privacy issues, financial losses, and identity theft. If you suspect that your Android device is infected with HiddenAds (or other malware), we highly recommend using an anti-virus to remove it without delay.
Name | HiddenAds trojan |
Threat Type | Android malware, malicious application, adware. |
Detection Names | Avast-Mobile (Android:Evo-gen [Trj]), ESET-NOD32 (A Variant Of Android/Hiddad.AQS), Kaspersky (Not-a-virus:HEUR:AdWare.AndroidOS.Teddad.i), McAfee (Artemis!C354D5529BEA), Full List (VirusTotal) |
Symptoms | The device is running slow, system settings are modified without user's permission, questionable applications appear, data and battery usage is increased significantly, intrusive advertisements are delivered. |
Distribution methods | Infected email attachments, malicious online advertisements, social engineering, deceptive applications, scam websites. |
Damage | Stolen personal information (private messages, logins/passwords, etc.), decreased device performance, battery is drained quickly, decreased Internet speed, huge data losses, monetary losses, stolen identity (malicious apps might abuse communication apps). |
Malware Removal (Android) | To eliminate possible malware infections, scan your mobile device with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Android-specific malware examples
We have analyzed countless malicious programs targeting Android operating systems; AIVARAT, Toll Fraud malware, Bahamut spyware, Revive banking trojan, and SMSFactory are merely some examples of our newest finds. Malware can have various functionalities, which can be in different combinations. Furthermore, the developers of malicious software often update it with improved capabilities and additional features.
However, regardless of how malware operates - its presence on a system endangers device and user safety. Therefore, all threats must be eliminated immediately upon detection.
How did HiddenAds infiltrate my device?
As mentioned in the introduction, HiddenAds applications were proliferated primarily through the Google Play Store. They have varied disguises and/or were packed alongside ordinary software (full list). Many of these apps have already been removed from the Play Store. However, at the time of writing, a number are still available for download. Additionally, it is not unlikely that new disguises have infiltrated this platform.
However, malware is distributed using a broad range of methods. The most commonly used techniques include: drive-by (stealthy and deceptive) downloads, online scams, malicious attachments/links in spam emails and messages, dubious download channels (e.g., freeware and third-party websites, P2P sharing networks, etc.), illegal software activation ("cracking") tools, fake updaters, and malvertising (malicious advertising).
How to avoid installation of malware?
We strongly advise researching software before download/installation and/or purchase, e.g., by checking the developer's reputation, looking through reviews, reading terms and privacy policies, taking note of required permissions, etc. It is just as important to always download from official and verified sources.
Additionally, software must be activated and updated using functions/tools provided by legitimate developers, as illegal activation tools ("cracks") and fake updaters can contain malware.
Another recommendation is to be vigilant with incoming mail. The attachments and links found in suspicious emails and messages - must not be opened as that may result in a system infection. We also advise being cautious when browsing since fraudulent and malicious content usually appears legitimate and harmless.
It is essential to have a dependable anti-virus installed and updated. Security programs must be used to run regular system scans and to remove threats/issues.
Appearances of the permissions asked by malicious apps belonging to the HiddenAds malware family (image source - Bleeping Computer website):
Screenshot of "Craft Forrest Pixelart Robo" application used to disguise HiddenAds malware:
Examples of malicious apps belonging to the HiddenAds malware family:
- 4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
- Assassin Legend - 2020 NEW
- Call Skins - Caller Themes (com.rockskinthemes.app)
- CallMe Phone Themes (com.callercallwallpaper.app)
- Caller Theme (com.caller.theme.slow)
- Cashe Cleaner (com.cachecleanereasytool.app)
- Craft Forrest Pixelart Robo
- Cream Trip - NEW
- Crush Car
- Desert Against
- Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
- Fancy Charging (com.fancyanimatedbattery.app)
- FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
- Find 5 Differences - 2020 NEW
- Find Hidden
- Find the Differences - Puzzle Game
- Flying Skateboard
- Funny Caller (com.funnycallercustomtheme.app)
- Funny Wallpapers - Live Screen (com.funnywallpapaerslive.app)
- Helicopter Attack - NEW
- Helicopter Shoot
- InCall: Contact Background (com.mycallcustomcallscrean.app)
- Iron it
- Jump Jump
- Money Destroyer
- MyCall - Call Personalization (com.mycallcallpersonalization.app)
- Neon Theme - Android Keyboard (com.androidneonkeyboard.app)
- Neon Theme Keyboard (com.neonthemekeyboard.app)
- NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
- Notes - reminders and lists (com.notesreminderslists.app)
- Photo & Exif Editor (de.xnano.photoexifeditornine)
- Photo Editor & Background Eraser (de.photoground.twentysixshot)
- Photo Editor - Design Maker (gb.twentynine.redaktoridea)
- Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx)
- Photo Editor : Blur Image (de.instgang.fiftyggfife)
- Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
- Photo Editor: Art Filters (gb.painnt.moonlightingnine)
- Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
- Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
- Photo Filters & Effects (de.sixtyonecollice.cameraroll)
- Plant Monster
- Props Rescue
- Rolling Scroll
- Rotate Shape
- Rugby Pass
- Shoot Them
- Shooting Run
- Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
- Sway Man
Update 28 April 2023 – Around 35 million Android users worldwide downloaded a collection of 38 Minecraft imitator games from Google Play, which contained the Android adware HiddenAds. Despite the adware activity occurring in the background, users were able to play the games as advertised without noticing any malicious activity.
Among the most frequently downloaded applications were Block Box Master Diamond, Block Box Skyland Sword, Block Forrest Tree Crazy, Block Game Skyland Forrest, Block Pro Forrest Diamond, Block Rainbow Sword Dragon, Craft Monster Crazy Sword, Craft Rainbow Mini Builder, and Craft Sword Mini Fun.
Update June 15, 2023 – as predicted, the HiddenAds malware family continues to evolve. With their new anomaly detection technology, Bitdefender has uncovered compromised applications well within the sixty thousand range. It is speculated that the true impact of HiddenAds is even greater than that.
Based on the models used by these adware-type apps, it is evident that they could be easily repurposed for the promotion of high-risk malware such as ransomware and banking trojans. HiddenAds has also changed tactics since the hidden app icon feature was curtailed on Android devices. More information on these developments can be found in an article on Bitdefender's blog.
Quick menu:
- Introduction
- How to delete browsing history from the Chrome web browser?
- How to disable browser notifications in the Chrome web browser?
- How to reset the Chrome web browser?
- How to delete browsing history from the Firefox web browser?
- How to disable browser notifications in the Firefox web browser?
- How to reset the Firefox web browser?
- How to uninstall potentially unwanted and/or malicious applications?
- How to boot the Android device in "Safe Mode"?
- How to check the battery usage of various applications?
- How to check the data usage of various applications?
- How to install the latest software updates?
- How to reset the system to its default state?
- How to disable applications that have administrator privileges?
Delete browsing history from the Chrome web browser:
Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "History" in the opened dropdown menu.
Tap "Clear browsing data", select "ADVANCED" tab, choose the time range and data types you want to delete and tap "Clear data".
Disable browser notifications in the Chrome web browser:
Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "Settings" in the opened dropdown menu.
Scroll down until you see "Site settings" option and tap it. Scroll down until you see "Notifications" option and tap it.
Find the websites that deliver browser notifications, tap on them and click "Clear & reset". This will remove permissions granted for these websites to deliver notifications. However, once you visit the same site again, it may ask for a permission again. You can choose whether to give these permissions or not (if you choose to decline the website will go to "Blocked" section and will no longer ask you for the permission).
Reset the Chrome web browser:
Go to "Settings", scroll down until you see "Apps" and tap it.
Scroll down until you find "Chrome" application, select it and tap "Storage" option.
Tap "MANAGE STORAGE", then "CLEAR ALL DATA" and confirm the action by taping "OK". Note that resetting the browser will eliminate all data stored within. This means that all saved logins/passwords, browsing history, non-default settings and other data will be deleted. You will also have to re-login into all websites as well.
Delete browsing history from the Firefox web browser:
Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "History" in the opened dropdown menu.
Scroll down until you see "Clear private data" and tap it. Select data types you want to remove and tap "CLEAR DATA".
Disable browser notifications in the Firefox web browser:
Visit the website that is delivering browser notifications, tap the icon displayed on the left of URL bar (the icon will not necessarily be a "Lock") and select "Edit Site Settings".
In the opened pop-up opt-in the "Notifications" option and tap "CLEAR".
Reset the Firefox web browser:
Go to "Settings", scroll down until you see "Apps" and tap it.
Scroll down until you find "Firefox" application, select it and tap "Storage" option.
Tap "CLEAR DATA" and confirm the action by taping "DELETE". Note that resetting the browser will eliminate all data stored within. This means that all saved logins/passwords, browsing history, non-default settings and other data will be deleted. You will also have to re-login into all websites as well.
Uninstall potentially unwanted and/or malicious applications:
Go to "Settings", scroll down until you see "Apps" and tap it.
Scroll down until you see a potentially unwanted and/or malicious application, select it and tap "Uninstall". If, for some reason, you are unable to remove the selected app (e.g., you are prompted with an error message), you should try using the "Safe Mode".
Boot the Android device in "Safe Mode":
The "Safe Mode" in Android operating system temporarily disables all third-party applications from running. Using this mode is a good way to diagnose and solve various issues (e.g., remove malicious applications that prevent users you from doing so when the device is running "normally").
Push the "Power" button and hold it until you see the "Power off" screen. Tap the "Power off" icon and hold it. After a few seconds the "Safe Mode" option will appear and you'll be able run it by restarting the device.
Check the battery usage of various applications:
Go to "Settings", scroll down until you see "Device maintenance" and tap it.
Tap "Battery" and check the usage of each application. Legitimate/genuine applications are designed to use as low energy as possible in order to provide the best user experience and to save power. Therefore, high battery usage may indicate that the application is malicious.
Check the data usage of various applications:
Go to "Settings", scroll down until you see "Connections" and tap it.
Scroll down until you see "Data usage" and select this option. As with battery, legitimate/genuine applications are designed to minimize data usage as much as possible. This means that huge data usage may indicate presence of malicious application. Note that some malicious applications might be designed to operate when the device is connected to wireless network only. For this reason, you should check both Mobile and Wi-Fi data usage.
If you find an application that uses a lot of data even though you never use it, then we strongly advise you to uninstall it as soon as possible.
Install the latest software updates:
Keeping the software up-to-date is a good practice when it comes to device safety. The device manufacturers are continually releasing various security patches and Android updates in order to fix errors and bugs that can be abused by cyber criminals. An outdated system is way more vulnerable, which is why you should always be sure that your device's software is up-to-date.
Go to "Settings", scroll down until you see "Software update" and tap it.
Tap "Download updates manually" and check if there are any updates available. If so, install them immediately. We also recommend to enable the "Download updates automatically" option - it will enable the system to notify you once an update is released and/or install it automatically.
Reset the system to its default state:
Performing a "Factory Reset" is a good way to remove all unwanted applications, restore system's settings to default and clean the device in general. However, you must keep in mind that all data within the device will be deleted, including photos, video/audio files, phone numbers (stored within the device, not the SIM card), SMS messages, and so forth. In other words, the device will be restored to its primal state.
You can also restore the basic system settings and/or simply network settings as well.
Go to "Settings", scroll down until you see "About phone" and tap it.
Scroll down until you see "Reset" and tap it. Now choose the action you want to perform:
"Reset settings" - restore all system settings to default;
"Reset network settings" - restore all network-related settings to default;
"Factory data reset" - reset the entire system and completely delete all stored data;
Disable applications that have administrator privileges:
If a malicious application gets administrator-level privileges it can seriously damage the system. To keep the device as safe as possible you should always check what apps have such privileges and disable the ones that shouldn't.
Go to "Settings", scroll down until you see "Lock screen and security" and tap it.
Scroll down until you see "Other security settings", tap it and then tap "Device admin apps".
Identify applications that should not have administrator privileges, tap them and then tap "DEACTIVATE".
Frequently Asked Questions (FAQ)
My Android device is infected with HiddenAds malware, should I format my storage device to get rid of it?
No, HiddenAds malware removal does not require formatting.
What are the biggest issues that HiddenAds malware can cause?
The threats posed by a malicious program depend on its capabilities and the cyber criminals' aims. The apps belonging to the HiddenAds malware family usually operate as adware (i.e., display various advertisements). This type of software can decrease browsing quality and system performance. Additionally, the ads it delivers can be deceptive/malicious and cause serious problems (e.g., system infections, financial losses, etc.).
Some HiddenAds applications can subscribe victims to premium services, while others are designed to steal social media accounts. Therefore, these infections also pose a threat to user privacy and financial integrity.
What is the purpose of HiddenAds malware?
Typically, malicious software is used to generate revenue. However, it can also be used for the attackers' amusements or to disrupt processes (e.g., websites, services, etc.), enact personal grudges, and launch politically/geopolitically motivated attacks.
How did HiddenAds malware infiltrate my Android device?
HiddenAds has been notably promoted on the Google Play Store under various disguises, e.g., mobile games, image-editing software, system optimization tools, etc. (full list above). However, other distribution methods are likely. Malware is primarily proliferated via online scams, malvertising, spam emails/messages, drive-by downloads, untrustworthy download channels (e.g., unofficial and free file-hosting sites, P2P sharing networks, etc.), illegal program activation ("cracking") tools, and fake updates.
▼ Show Discussion