Facebook Ads Power Android Adware

In the spirit of “advertising is the lifeblood of business”, Facebook ads are the origin of Android adware.

Various applications of adware aggressively promoted on Facebook as system cleaners and optimizers for Android devices have millions of installs on the Google Play Store.

Facebook Ads Power Android Adware

Apps don’t have all the functionality promised and they send ads while trying to last as long as possible on the device.

To avoid deletion, the apps hide on the victim’s device by constantly changing icons and names, disguised as settings or the Play Store itself.

Facebook ads boost Android adware – Change name and icon of installed app (McAfee)

Adware apps abuse the Android Contact Provider component, which enables data transfer between the device and online services.

The subsystem is called whenever a new app is installed, so adware can use it to start the ad serving process. For the user, it may seem that the advertisements are sent by the legitimate application that he has installed.

McAfee Researchers discovered advertising apps. They note that users do not need to launch them after installation to see advertisements because the adware starts automatically without any interaction.

The first action of these annoying apps is to create a permanent service to display advertisements. If the process is “killed” (terminated), it will be restarted immediately.

Facebook Ads Power Android Adware
Facebook Ads Boost Android Adware – Malicious Service Relaunched Almost Immediately (McAfee)

The following video demonstrates how the adware’s name and icon change automatically and how ad serving occurs without any user interaction.

As McAfee notes in the report, users are convinced to trust adware apps because they see a Play Store link on Facebook, leaving little room for doubt.

Facebook Ads Power Android Adware
Facebook Ads Boost Android Adware – Facebook Promo for Cleaner App (McAfee)

This resulted in an unusually high number of downloads for the specific type of apps, as shown in the list below:

  • Junk Cleaner, cn.junk.clean.plp, over a million downloads
  • EasyCleaner, com.easy.clean.ipz, over 100 million downloads
  • Power Doctor, com.power.doctor.mnb, over 500,000 downloads
  • Super Clean, com.super.clean.zaz, over 500 million downloads
  • Full Clean – Clean Cache, org.stemp.fll.clean, over 1 million downloads
  • Fingertip Cleaner, com.fingertip.clean.cvb, over 500 million downloads
  • Quick Cleaner, org.qck.cle.oyo, over a million downloads
  • Keep Clean, org.clean.sys.lunch, over a million downloads
  • Windy Clean, in.phone.clean.www, over 500 million downloads
  • Carpet Clean, og.crp.cln.zda, over 100 million downloads
  • Carpet Cleaning, og.crp.cln.zda, 100K+ downloads
  • Cool Clean, syn.clean.cool.zbc, over 500 million downloads
  • Strong Clean, in.memory.sys.clean, over 500 million downloads
  • Meteor Clean, org.ssl.wind.clean, over 100 million downloads

The majority of users

Heatmap of infected Android users
Facebook Ads Generate Android Adware – Heatmap of Infected Android Users (McAfee)

teens is in South Korea, Japan, and Brazil, but the adware has unfortunately reached users all over the world.
Adware apps are no longer available on the Play Store. However, users who installed them must manually remove them from their device.

System cleaners and optimizers are popular software categories despite the low benefits they offer. Cybercriminals know that a large number of users would try these solutions to extend the life of their devices and they often disguise malicious applications as such.

Leave a Comment