Google’s official Play marketplace is waging an uphill battle against Android apps that display an unending stream of popup ads even when users try to force them to stop, researchers said Friday.
The researchers, from UK-based SophosLabs, said they have found a total of 47 apps in the past week that collectively have racked up as many as 6 million downloads. They all use a third-party library that bombards users with ads that continue to display even after users force-close the app or scrub memory. In a blog post, SophosLabs said Google has removed some of the privately reported apps while allowing others to remain.
The MarsDae library that’s spawning the popup torrent supports Android versions 2.3 through 6, as well as Samsung, Huawei, Mizu, Mi, and Nexus devices. One app that incorporates MarsDae, SophosLabs said, is Snap Pic Collage Color Splash, which remained available on Google servers as this post was being prepared. Snap Pic has been downloaded from 50,000 to 100,000 times. Once installed, it displays ads on the Android home screen. Even after a user uses the Android settings to force close the app, the ads resume a few seconds later.
According to Sophos, the MarsDae library takes the following steps to keep ads appearing on devices running Android versions 5 and 6:
- It runs code that kicks off a number of processes.
- It creates a file, then locks it.
- Each process creates another file. For example, Process A creates a2 and repeatedly checks if Process B has created file b2, and vice versa.
- If Process A finds file b2, it means Process B has started and locked file b1. Process A can delete file b2. Process B will do the same thing for file a2.
- Process A keeps monitoring the lock status of file b1 while Process B monitors file a1. If any file is unlocked, it means the related process is dead. Then another process can restart it again.
A full list of apps using the library include:
cn.etouch.ecalendar.life com.aimobo.weatherclear com.ali.money.shield com.anti.block.porn.safebrowser com.app.fast.boost.cleaner com.app.wifi.recovery.master com.baiwang.facesnap com.block.puzzle.game.king com.booster.ram.app.master.clean com.card.game.bl.plugintheme21 com.card.game.bl.plugintheme22 com.card.game.bl.plugintheme23 com.cardgame.solitaire.sfour com.clean.phone.boost.android.junk.cleaner com.cleaner.booster.speed.junk.memory com.color.paper.style com.corous360.zipay com.desk.paper.watch com.exact.digital.ledcompass com.free.sudoku.puzzle com.freegames.happy.popcandy com.freegames.popstar com.freegames.popstar.exterme com.gmiles.alarmclock com.gmiles.switcher com.insta.browser com.listen.music.pedometer com.ljapps.wifix.recovery.password com.mg.callrecord com.mola.tools.mbattery com.mola.tools.openweather com.mx.cool.videoplayer com.news.boost.clean com.ojhero.nowcall com.phonecooler.battery.cleaner.wifimaster com.picture.photo.editor com.powercleaner com.red.music.audio.player com.riti.elocation.driver com.samll.game.puzzle.plus com.smartx.flashlight com.tool.powercleanlite com.tool.videomanager com.tools.freereminder com.wise.trackme.activity org.mbj.filemanager org.mbj.sticker
Google officials didn’t immediately provide Ars with a comment on Friday’s report. This post will be updated if they get back to us later.
This post originated on Ars Technica