The Android.virus.adcheat.outappad.wau detection is specific to android devices (obviously) that have an anti-virus program. The weird thing in this case is that these AV programs remove apps even from the Google Play store – meaning if this can be believed even app store programs are infected.
From the information I can see at this moment, it’s not clear whether this is a false-positive of some sort, but by my experience – it’s not. From what I gathered it infects predominantly Russia based users. When such infections are geographically locked, there are 3 main factors to take into account:
- Either one AV program is causing this mess detecting the same thing, and from what I can tell, that’s not the case. It’s detected by an in-built Android system.
- When all attack vectors come through one single country, then it’s highly suspicious and warrants a deeper look. But at this point the problem is that most of the infected apps seem to be localized. I urge everyone to read the list below and uninstall the apps we outlined there.
- If users are downloading the apps from an unofficial source, then that’s 100% the reason. I understand
Android.virus.adcheat.outappad.wau is likely hijacking downloads somehow and that’s only for Russian users. I highly doubt all the apps that show up as infected are actually infected in Google’s app store.
Currently, the only app I found to be infected, and I could test, was Ei Samay. I doubt it’s the only one, though:
https://play.google.com/store/apps/details?id=com.eisamay.reader&hl=en
If you are using it, I suggest uninstalling it for the time being while all of this is sorted out.
A few suggestions on my end:
- Change any password that you used in an infected app. It’s likely that the password is no longer safe, and the attackers also have your email address.
- Stay away from unofficial places to download APKs. If you don’t plan on heeding this, at least research online if the source is safe or not.
- Look at user reviews on the Google play store for the app you’ve chosen.
- If the problems persist, as a last resort, you can always factory reset your phone.
All these detections are solely connected to the android package names (detection appears even on empty apps with same package name), so it seems like an attempt to ruin someone’s apps. It’s connection solely to Russian Apps gives a hint it might be a hackers from Ukraine atack or somewhat similar.
It is also believed that the primary antivirus detecting this app is the Avast engine (CZ).
DNS Shop app is also infected with this virus