Android ‘auto-starting’ malware discovered on millions of devices

Android malware - LoughTec Cyber Security Company

Apps that contain the HiddenAds malware start running malicious services immediately after installation

A new strain of malware has been discovered by McAfee’s researchers on the Google Play Store. This malicious software is capable of launching itself automatically after users download one of the infected apps.

Apps that contain the HiddenAds malware start running malicious services immediately after installation, unlike other malicious apps that need to be opened first. They also continually display advertisements on a victim’s Android smartphone and are difficult to remove once installed.

McAfee’s Mobile Research Team stated in a blog post recently that the majority of apps containing this new malware are designed to look like cleaner apps. These applications claim to delete junk files or help improve battery life on Android devices.

Although the apps contain malware, all of these apps still managed to make it onto the Play Store and bypass Google's defences.

Apps that should be deleted immediately

Here’s a list of all 13 apps that include the HiddenAds malware, as well as how many times they’ve been downloaded from the Google Play Store:

  • Junk Cleaner – 1M+
  • EasyCleaner – 100K+
  • Power Doctor – 500K+
  • Super Clean – 500K+
  • Full Clean -Clean Cache – 1M+
  • Fingertip Cleaner – 500K+
  • Quick Cleaner – 1M+
  • Keep Clean – 1M+
  • Windy Clean – 500K+
  • Carpet Clean – 100K+
  • Cool Clean – 500K+
  • Strong Clean – 500K+
  • Meteor Clean – 100K+

Auto-starting malware that is capable of concealing itself

Although the apps contain malware, all of these apps still managed to make it onto the Play Store and bypass Google’s defences. However, McAfee has now shared its findings with Google, which has since removed them. You will still need to delete them from your Android phone yourself, though.

Although it is usually safe to download and install an app without opening it, this is not the case with these apps. When you install any of these apps on your devices, they will automatically launch the HiddenAds malware and begin operating in the background.

These harmful apps can also conceal themselves to prevent users from detecting and removing them. For example, they alter their icons to resemble the Google Play icon that people are familiar with and rename themselves to ‘Google Play’ or ‘Settings.’

There are several ways that the HiddenAds malware applications display ads to their victims. They are displayed in full-screen and are very intrusive. In addition to this, they also try to get users to run an app whenever they install, uninstall or update any other apps on their devices.


Facebook advertising

The cybercriminals used Facebook as a means to promote their new malware.

All of these apps avoided Google’s security measures and ended up on the Play Store. As a result, their creators were able to make Facebook pages for each app and promote them through the social platform. Even though these links may lead to apps with malware, Facebook doesn’t view Play Store URLs as malicious.

Cybercriminals often take advantage of free services to attract victims to their malware and anyone can create their own Facebook Business account and business page.


Protecting yourself from the HiddenAds malware

  • Check that none of the above-listed apps are installed on your Android smartphone or tablet.
  • If so, uninstall them immediately.
  • Consider utilising a legitimate antivirus tool/application on your Android device to remove any malware that may be left behind.
  • Ensure Google Play Protect is enabled on your devices – this is a great way to scan the apps installed on your smartphone for malware and will notify you if you’re about to install a suspicious app.
  • Only download apps from the Google Play Store and not apps from unknown sources.


As the HiddenAds malware is still in development, and its creators are also developing new versions, we may see other malicious applications using it in the future, according to McAfee.

If you are interested in learning more about how LoughTec can help protect your critical IT infrastructure, contact us today.

Contact Cyber Security Company LoughTec for a free no-obligation discussion on your business cyber security posture. Call +44 (0) 28 8225 2445 or email


LoughTec: Watertight Cyber Security and IT Solutions