Most malware keeps a low profile. But apps containing Hiddad, an ad-distributing malware for Androids, get lots of 5-star ratings from infected users – and not for the usual reasons. Hiddad is presented as a YouTube downloading app and usually goes to market on Google Play labeled as Tube mate or Snap Tube. The apps distributing this malware all have lots of 5-star ratings from users – and show why it’s important to read the reviews and not just count the numbers of 5-star ratings.
How Hiddad works
Hiddad starts with a low-profile approach. When installing, all apps in the Hiddad family have the same name – “Music Mania” – and the same icon, with no requests for suspicious permissions:
But, after clicking “Install” we can see another application called “plugin android” is requesting installation permission, and if we click next, we will see that it’s requesting device administrator privileges:
If we click “Activate”, the “Music Mania” application will open, with a surprising request:
These applications force users into leaving 5-star ratings in order to remove ads from the app.
Newer versions of Hiddad include various repackaged games but they all share the same common behavior: They require users to rate them with five stars to unlock some functionality – unblock content such as wallpapers, remove ads, or increase game playability.
This attempt by users to remove the ads has the interesting impact of causing Hiddad apps to have high ratings in Google Play, increases their visibility, and results in them being downloaded by more victims.
But, there is a catch to the high ratings. Most of these apps do NOT remove ads after the 5-star rating is given. This causes frustration among users who leave reviews such as “This game is trash ads after ads, I had to rate 5 stars to proceed.”
How to remove Music Mania
Go to Settings -> Application Manager, you can find both components of this malware :
Both must be removed in order to get rid of the malware. “Music Mania,” the first part, can be uninstalled simply by clicking “uninstall.” However, for the “plugin android” part, you must first go to “Settings – Device administrators – permissions required” and remove the Device Administrator permission before uninstalling it.
The moral to the story
There is a lesson to be learned here – when installing an application from Google Play, just looking at the star rating is not enough. You must also read the user reviews to get a clear picture of what the application actually does.
Also, don’t forget: If you have an antivirus for Android like the Avira one installed on your phone you’d never need to worry – we’ve got you covered. Avira identifies this malware as Hiddad.C.Gen