You have been warned \u2014 get deleting.<\/p>\n
Getty<\/p>\n
Update: Republished on May 10 with new warnings into high-risk apps. <\/p>\n
A serious threat to Android users has been revealed today, with as many as 2.5 million dangerous apps being installed each and every month. The apps have a nasty trick that fools users into the initial download, and once on a phone, the damage is done. There\u2019s a new list of apps to delete, but there\u2019s also a simple warning that will help keep you safe.<\/p>\n
The new report comes courtesy of Integral Ad Science,<\/a> the same team that warned of the \u201cVapor<\/a>\u201d attacks on Android phones in March. This new threat is dubbed \u201cKaleidoscope \u2014 due to its constant transformations as it tries to evade detection and analysis.” The name has changed but the threat is broadly the same.<\/p>\n The cyber criminals behind this latest ad fraud machine plant benign apps on Google\u2019s Play Store that contain none of their malicious code. They then distribute malicious replicas of those apps through third-party app stores and direct installs. Users are directed to those duplicates via messaging and social media channels. To users, it seems that they\u2019re downloading a legitimate app through an ad or promotion. And to advertisers, it seems their ad impressions are coming from legitimate apps.<\/p>\n ForbesGoogle\u2019s New Update Scans Your Screenshots For LocationsBy Zak Doffman<\/a><\/p>\n The attackers\u2019 payday comes via those advertisers who have no idea their ads are being pushed out at an industrial scale to infected phones, where they disrupt the normal use of the phone to generate impressions which turn to cash. “The malicious app delivers intrusive out-of-context ads under the guise of the benign app ID in the form of full-screen interstitial images and videos, triggered even without user interaction.\u201d<\/p>\n The SDK driving this malicious behavior has been updated and has now even been retrospectively added into apps that were previously caught doing the same. They now have a differently named SDK at their core. The infected apps are on this list<\/a>.<\/p>\n This type of threat is well established. A year ago, I reported on the \u201cevil twin<\/a>\u201d attacks flagged by Human Security, which warned that the \u201cKonfety<\/a>\u201d ad fraud operation had deployed as many as 250 decoy apps on Play Store. Those legitimate and malicious apps shared a common \u201cCaramelSDK\u201d reference which aided detection and mitigation. Those references have been removed, albeit the original threat itself has not gone away.<\/p>\n IAS says it \u201canalyzed both earlier and newer versions of benign and malicious variants associated with this scheme, examining previously known apps as well as newly discovered ones involved in this evolving threat.\u201d<\/p>\n Google has removed flagged apps from Play Store and assures Play Protect will safeguard users from known versions of the threat. But this is a sideloading problem and an industry problem. \u201cThe entities behind Kaleidoscope have successfully identified a network of resellers who are not particularly diligent in vetting the quality of the inventory they deliver to advertisers, enabling them to effectively launder their traffic.\u201d<\/p>\n ForbesCheck For Update On Your Phone\u2014Apps Stop Working This MonthBy Zak Doffman<\/a><\/p>\n Advice on staying safe is simple. If you\u2019re in the habit of sideloading, then scan the list of infected apps and delete any you recognize. Then take care on how many such third-party or direct installs you allow onto your phone.<\/p>\n Sideloading has never been more under threat than now. It remains one of the key differentiators between Android and iPhone, notwithstanding Apple has again just been given 90 days to allow sideloading in Brazil. This follows the more significant EU ruling in Europe and the more material (financially at least) Epic Games ruling in the U.S.<\/p>\n Google has clamped down on sideloading in Android 15, making it harder at least. And Samsung has gone further with One UI 7, its Android 15 wrap, expanding its default maximum restrictions to do all it can to deter users from installs outside main stores.<\/p>\n \u201cI no longer seem to be bothered about the ability to sideload apps,\u201d explained one newspaper columnist this weekend<\/a>. \u201cIt\u2019s just too risky in 2025, and I\u2019ve heard the same from quite a few Android loyalists who now stay away from sideloading for one specific reason \u2014 security.\u201d And this despite that same columnist \u201cpicking the OnePlus 13, my current daily driver, for multiple reasons; primarily for the fact that it\u2019s an Android-powered device that allows sideloading.\u201d<\/p>\n