FacebookTwitterLinkedIn

How to remove the HiddenAds malware from your Android device

Also Known As: HiddenAds trojan
Type: Trojan
Damage level: Severe

What is HiddenAds?

Discovered by Dr. Web researchers, HiddenAds is a malware family targeting Android operating systems. This group comprises numerous malicious applications; most operate as adware (display ads), but some are also capable of stealthily subscribing victims to premium-rate services and stealing their social networking accounts.

At the time of research, HiddenAds apps were actively spread through the Google Play Store - with over ten million downloads to their name. This software bears various disguises, e.g., gaming, calling/messaging, system protection/cleaning, image/photo editing, virtual keyboard, wallpaper, and other applications (list of applications associated with HiddenAds can be found below).

HiddenAds malware detections on VirusTotal

HiddenAds malware overview

Most malicious apps that are part of the HiddenAds family have advertising-supported software (adware) functionalities. In other words, they can display advertisements on visited websites and/or other interfaces. This can seriously hinder device usage since the ads can overlay the screen (i.e., webpages, opened apps, home screen, etc.), decrease the browsing speed, and diminish system performance.

Furthermore, these adverts promote online scams, untrustworthy/harmful software, and even malware. Some intrusive ads can even perform stealthy downloads/installations upon being clicked.

Note that while adware may deliver advertisements endorsing legitimate content, it is most likely promoted by scammers abusing the affiliate programs in order to obtain illegitimate commissions.

HiddenAds applications typically require certain permissions to work as intended; these requests can entail asking the user to allow the app to show windows that overlay others or consent to the software being exempt from battery-power saving features.

Some of these malicious apps have additional/other harmful abilities. They can stealthily or through the use of deception - subscribe users to expensive services. Hence, victims can experience continuous billing on their phone bills, connected credit cards, or banking accounts.

Yet another goal of these programs can be the theft of victims' social networking and social media accounts. For example, Dr. Web analysts uncovered several applications presented as image editing tools (cartoon photo filters/effects) that target Facebook accounts.

Cyber criminals commonly seek to obtain social accounts as they can be used to ask the contacts/friends for loans or to further spread malware (by sharing malicious files/links) - under the guise of the genuine owners.

What is more, HiddenAds software can be capable of hiding its icons from the installed apps list and/or the home screen menu. Alternatively, the icons can be replaced with less conspicuous ones.

It is noteworthy that families like HiddenAds are incredibly prolific; there are close to fifty apps associated with this malware group (full list), and it is highly likely that this number will continue to increase. It is just as likely that the applications will be improved upon and acquire new harmful features.

To summarize, the presence of HiddenAds malware on devices can lead to multiple system infections, severe privacy issues, financial losses, and identity theft. If you suspect that your Android device is infected with HiddenAds (or other malware), we highly recommend using an anti-virus to remove it without delay.

Threat Summary:
Name HiddenAds trojan
Threat Type Android malware, malicious application, adware.
Detection Names Avast-Mobile (Android:Evo-gen [Trj]), ESET-NOD32 (A Variant Of Android/Hiddad.AQS), Kaspersky (Not-a-virus:HEUR:AdWare.AndroidOS.Teddad.i), McAfee (Artemis!C354D5529BEA), Full List (VirusTotal)
Symptoms The device is running slow, system settings are modified without user's permission, questionable applications appear, data and battery usage is increased significantly, intrusive advertisements are delivered.
Distribution methods Infected email attachments, malicious online advertisements, social engineering, deceptive applications, scam websites.
Damage Stolen personal information (private messages, logins/passwords, etc.), decreased device performance, battery is drained quickly, decreased Internet speed, huge data losses, monetary losses, stolen identity (malicious apps might abuse communication apps).
Malware Removal (Android)

To eliminate possible malware infections, scan your mobile device with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner
for Android

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Android-specific malware examples

We have analyzed countless malicious programs targeting Android operating systems; AIVARATToll Fraud malwareBahamut spywareRevive banking trojan, and SMSFactory are merely some examples of our newest finds. Malware can have various functionalities, which can be in different combinations. Furthermore, the developers of malicious software often update it with improved capabilities and additional features.

However, regardless of how malware operates - its presence on a system endangers device and user safety. Therefore, all threats must be eliminated immediately upon detection.

How did HiddenAds infiltrate my device?

As mentioned in the introduction, HiddenAds applications were proliferated primarily through the Google Play Store. They have varied disguises and/or were packed alongside ordinary software (full list). Many of these apps have already been removed from the Play Store. However, at the time of writing, a number are still available for download. Additionally, it is not unlikely that new disguises have infiltrated this platform.

However, malware is distributed using a broad range of methods. The most commonly used techniques include: drive-by (stealthy and deceptive) downloads, online scams, malicious attachments/links in spam emails and messages, dubious download channels (e.g., freeware and third-party websites, P2P sharing networks, etc.), illegal software activation ("cracking") tools, fake updaters, and malvertising (malicious advertising).

How to avoid installation of malware?

We strongly advise researching software before download/installation and/or purchase, e.g., by checking the developer's reputation, looking through reviews, reading terms and privacy policies, taking note of required permissions, etc. It is just as important to always download from official and verified sources.

Additionally, software must be activated and updated using functions/tools provided by legitimate developers, as illegal activation tools ("cracks") and fake updaters can contain malware.

Another recommendation is to be vigilant with incoming mail. The attachments and links found in suspicious emails and messages - must not be opened as that may result in a system infection. We also advise being cautious when browsing since fraudulent and malicious content usually appears legitimate and harmless.

It is essential to have a dependable anti-virus installed and updated. Security programs must be used to run regular system scans and to remove threats/issues.

Appearances of the permissions asked by malicious apps belonging to the HiddenAds malware family (image source - Bleeping Computer website):

Example of the permissions asked by HiddenAds malware 1 Example of the permissions asked by HiddenAds malware 2

Screenshot of "Craft Forrest Pixelart Robo" application used to disguise HiddenAds malware:

HiddenAds malware disguising as Craft Forrest Pixelart Robo application

Examples of malicious apps belonging to the HiddenAds malware family:

  • 4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)
  • Assassin Legend - 2020 NEW
  • Call Skins - Caller Themes (com.rockskinthemes.app)
  • CallMe Phone Themes (com.callercallwallpaper.app)
  • Caller Theme (com.caller.theme.slow)
  • Cashe Cleaner (com.cachecleanereasytool.app)
  • Craft Forrest Pixelart Robo
  • Cream Trip - NEW
  • Crush Car
  • Desert Against
  • Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
  • Fancy Charging (com.fancyanimatedbattery.app)
  • FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
  • Find 5 Differences - 2020 NEW
  • Find Hidden
  • Find the Differences - Puzzle Game
  • Flying Skateboard
  • Funny Caller (com.funnycallercustomtheme.app)
  • Funny Wallpapers - Live Screen (com.funnywallpapaerslive.app)
  • Helicopter Attack - NEW
  • Helicopter Shoot
  • InCall: Contact Background (com.mycallcustomcallscrean.app)
  • Iron it
  • Jump Jump
  • Money Destroyer
  • MyCall - Call Personalization (com.mycallcallpersonalization.app)
  • Neon Theme - Android Keyboard (com.androidneonkeyboard.app)
  • Neon Theme Keyboard (com.neonthemekeyboard.app)
  • NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)
  • Notes - reminders and lists (com.notesreminderslists.app)
  • Photo & Exif Editor (de.xnano.photoexifeditornine)
  • Photo Editor & Background Eraser (de.photoground.twentysixshot)
  • Photo Editor - Design Maker (gb.twentynine.redaktoridea)
  • Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx)
  • Photo Editor : Blur Image (de.instgang.fiftyggfife)
  • Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)
  • Photo Editor: Art Filters (gb.painnt.moonlightingnine)
  • Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
  • Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
  • Photo Filters & Effects (de.sixtyonecollice.cameraroll)
  • Plant Monster
  • Props Rescue
  • Rolling Scroll
  • Rotate Shape
  • Rugby Pass
  • Shoot Them
  • Shooting Run
  • Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)
  • Sway Man

Update 28 April 2023 – Around 35 million Android users worldwide downloaded a collection of 38 Minecraft imitator games from Google Play, which contained the Android adware HiddenAds. Despite the adware activity occurring in the background, users were able to play the games as advertised without noticing any malicious activity.

Among the most frequently downloaded applications were Block Box Master Diamond, Block Box Skyland Sword, Block Forrest Tree Crazy, Block Game Skyland Forrest, Block Pro Forrest Diamond, Block Rainbow Sword Dragon, Craft Monster Crazy Sword, Craft Rainbow Mini Builder, and Craft Sword Mini Fun.

Update June 15, 2023 – as predicted, the HiddenAds malware family continues to evolve. With their new anomaly detection technology, Bitdefender has uncovered compromised applications well within the sixty thousand range. It is speculated that the true impact of HiddenAds is even greater than that.

Based on the models used by these adware-type apps, it is evident that they could be easily repurposed for the promotion of high-risk malware such as ransomware and banking trojans. HiddenAds has also changed tactics since the hidden app icon feature was curtailed on Android devices. More information on these developments can be found in an article on Bitdefender's blog.

Quick menu:

Delete browsing history from the Chrome web browser:

Deleting web browsing history from Chrome in Android operating system (step 1)

Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "History" in the opened dropdown menu.

Deleting web browsing history from Chrome in Android operating system (step 2)

Tap "Clear browsing data", select "ADVANCED" tab, choose the time range and data types you want to delete and tap "Clear data".

[Back to Table of Contents]

Disable browser notifications in the Chrome web browser:

Disabling browser notifications in the Chrome browser in Android operating system (step 1)

Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "Settings" in the opened dropdown menu.

Disabling browser notifications in the Chrome browser in Android operating system (step 2)

Scroll down until you see "Site settings" option and tap it. Scroll down until you see "Notifications" option and tap it.

Disabling browser notifications in the Chrome browser in Android operating system (step 3)

Find the websites that deliver browser notifications, tap on them and click "Clear & reset". This will remove permissions granted for these websites to deliver notifications. However, once you visit the same site again, it may ask for a permission again. You can choose whether to give these permissions or not (if you choose to decline the website will go to "Blocked" section and will no longer ask you for the permission).

[Back to Table of Contents]

Reset the Chrome web browser:

Resetting Chrome browser to default in Android operating system (step 1)

Go to "Settings", scroll down until you see "Apps" and tap it.

Resetting Chrome browser to default in Android operating system (step 2)

Scroll down until you find "Chrome" application, select it and tap "Storage" option.

Resetting Chrome browser to default in Android operating system (step 3)

Tap "MANAGE STORAGE", then "CLEAR ALL DATA" and confirm the action by taping "OK". Note that resetting the browser will eliminate all data stored within. This means that all saved logins/passwords, browsing history, non-default settings and other data will be deleted. You will also have to re-login into all websites as well.

[Back to Table of Contents]

Delete browsing history from the Firefox web browser:

Delete browsing history from the Firefox in the Android operating system (step 1)

Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "History" in the opened dropdown menu.

Delete browsing history from the Firefox in the Android operating system (step 2)

Scroll down until you see "Clear private data" and tap it. Select data types you want to remove and tap "CLEAR DATA".

[Back to Table of Contents]

Disable browser notifications in the Firefox web browser:

Disable browser notifications in the Firefox web browser in the Android operating system (step 1)

Visit the website that is delivering browser notifications, tap the icon displayed on the left of URL bar (the icon will not necessarily be a "Lock") and select "Edit Site Settings".

Disable browser notifications in the Firefox web browser in the Android operating system (step 2)

In the opened pop-up opt-in the "Notifications" option and tap "CLEAR".

[Back to Table of Contents]

Reset the Firefox web browser:

Resetting Firefox browser in the Android operating system (step 1)

Go to "Settings", scroll down until you see "Apps" and tap it.

Resetting Firefox browser in the Android operating system (step 2)

Scroll down until you find "Firefox" application, select it and tap "Storage" option.

Resetting Firefox browser in the Android operating system (step 3)

Tap "CLEAR DATA" and confirm the action by taping "DELETE". Note that resetting the browser will eliminate all data stored within. This means that all saved logins/passwords, browsing history, non-default settings and other data will be deleted. You will also have to re-login into all websites as well.

[Back to Table of Contents]

Uninstall potentially unwanted and/or malicious applications:

Removing unwanted/malicious applications from the Android operating system (step 1)

Go to "Settings", scroll down until you see "Apps" and tap it.

Removing unwanted/malicious applications from the Android operating system (step 2)

Scroll down until you see a potentially unwanted and/or malicious application, select it and tap "Uninstall". If, for some reason, you are unable to remove the selected app (e.g., you are prompted with an error message), you should try using the "Safe Mode".

[Back to Table of Contents]

Boot the Android device in "Safe Mode":

The "Safe Mode" in Android operating system temporarily disables all third-party applications from running. Using this mode is a good way to diagnose and solve various issues (e.g., remove malicious applications that prevent users you from doing so when the device is running "normally").

Booting Android device in Safe Mode

Push the "Power" button and hold it until you see the "Power off" screen. Tap the "Power off" icon and hold it. After a few seconds the "Safe Mode" option will appear and you'll be able run it by restarting the device.

[Back to Table of Contents]

Check the battery usage of various applications:

Checking the battery usage of various applications in the Android operating system (step 1)

Go to "Settings", scroll down until you see "Device maintenance" and tap it.

Checking the battery usage of various applications in the Android operating system (step 2)

Tap "Battery" and check the usage of each application. Legitimate/genuine applications are designed to use as low energy as possible in order to provide the best user experience and to save power. Therefore, high battery usage may indicate that the application is malicious.

[Back to Table of Contents]

Check the data usage of various applications:

Checking data usage of various applications in the Android operating system (step 1)

Go to "Settings", scroll down until you see "Connections" and tap it.

Checking data usage of various applications in the Android operating system (step 2)

Scroll down until you see "Data usage" and select this option. As with battery, legitimate/genuine applications are designed to minimize data usage as much as possible. This means that huge data usage may indicate presence of malicious application. Note that some malicious applications might be designed to operate when the device is connected to wireless network only. For this reason, you should check both Mobile and Wi-Fi data usage.

Checking data usage of various applications in the Android operating system (step 3)

If you find an application that uses a lot of data even though you never use it, then we strongly advise you to uninstall it as soon as possible.

[Back to Table of Contents]

Install the latest software updates:

Keeping the software up-to-date is a good practice when it comes to device safety. The device manufacturers are continually releasing various security patches and Android updates in order to fix errors and bugs that can be abused by cyber criminals. An outdated system is way more vulnerable, which is why you should always be sure that your device's software is up-to-date.

Installing software updates in the Android operating system (step 1)

Go to "Settings", scroll down until you see "Software update" and tap it.

Installing software updates in the Android operating system (step 2)

Tap "Download updates manually" and check if there are any updates available. If so, install them immediately. We also recommend to enable the "Download updates automatically" option - it will enable the system to notify you once an update is released and/or install it automatically.

[Back to Table of Contents]

Reset the system to its default state:

Performing a "Factory Reset" is a good way to remove all unwanted applications, restore system's settings to default and clean the device in general. However, you must keep in mind that all data within the device will be deleted, including photos, video/audio files, phone numbers (stored within the device, not the SIM card), SMS messages, and so forth. In other words, the device will be restored to its primal state.

You can also restore the basic system settings and/or simply network settings as well.

Resetting the Android operating system to its default (step 1)

Go to "Settings", scroll down until you see "About phone" and tap it.

Resetting the Android operating system to its default (step 2)

Scroll down until you see "Reset" and tap it. Now choose the action you want to perform:
"Reset settings" - restore all system settings to default;
"Reset network settings" - restore all network-related settings to default;
"Factory data reset" - reset the entire system and completely delete all stored data;

[Back to Table of Contents]

Disable applications that have administrator privileges:

If a malicious application gets administrator-level privileges it can seriously damage the system. To keep the device as safe as possible you should always check what apps have such privileges and disable the ones that shouldn't.

Disabling Android applications that have administrator privileges (step 1)

Go to "Settings", scroll down until you see "Lock screen and security" and tap it.

Disabling Android applications that have administrator privileges (step 2)

Scroll down until you see "Other security settings", tap it and then tap "Device admin apps".

Disabling Android applications that have administrator privileges (step 3)

Identify applications that should not have administrator privileges, tap them and then tap "DEACTIVATE".

Frequently Asked Questions (FAQ)

My Android device is infected with HiddenAds malware, should I format my storage device to get rid of it?

No, HiddenAds malware removal does not require formatting.

What are the biggest issues that HiddenAds malware can cause?

The threats posed by a malicious program depend on its capabilities and the cyber criminals' aims. The apps belonging to the HiddenAds malware family usually operate as adware (i.e., display various advertisements). This type of software can decrease browsing quality and system performance. Additionally, the ads it delivers can be deceptive/malicious and cause serious problems (e.g., system infections, financial losses, etc.).

Some HiddenAds applications can subscribe victims to premium services, while others are designed to steal social media accounts. Therefore, these infections also pose a threat to user privacy and financial integrity.

What is the purpose of HiddenAds malware?

Typically, malicious software is used to generate revenue. However, it can also be used for the attackers' amusements or to disrupt processes (e.g., websites, services, etc.), enact personal grudges, and launch politically/geopolitically motivated attacks.

How did HiddenAds malware infiltrate my Android device?

HiddenAds has been notably promoted on the Google Play Store under various disguises, e.g., mobile games, image-editing software, system optimization tools, etc. (full list above). However, other distribution methods are likely. Malware is primarily proliferated via online scams, malvertising, spam emails/messages, drive-by downloads, untrustworthy download channels (e.g., unofficial and free file-hosting sites, P2P sharing networks, etc.), illegal program activation ("cracking") tools, and fake updates.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
HiddenAds trojan QR code
Scan this QR code to have an easy access removal guide of HiddenAds trojan on your mobile device.
We Recommend:

Get rid of Android malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner for Android

Platform: Android

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.