Rogue adware campaign found on Google Play

Read time 2min 10sec

Despite Google saying it is working to keep malware off its Play store, its efforts are not always successful.

ITWeb Security Summit 2019

Registration is open for the event in Johannesburg and Cape Town. The agenda features themes ranging from developing cyber security strategy and increasing user awareness, to the latest trends impacting on security. Eight top international keynote speakers have been confirmed. Register today to benefit from our early bird prices. To find out more, click here.

Check Point researchers have found a new adware campaign on Google Play, in 206 applications.

The combined download count reached nearly 150 million before Google was notified and removed the infected applications.

Dubbed "SimBad", based on the plethora of infected simulator games, the code hid in an illegitimate ad-serving platform and created a back door that could install dangerous apps, direct users to fake Web sites, and show other apps in stores.

The malware lives in the 'RXDrioder' software development kit (SDK), which is provided by 'addroider[.]com' as an ad-related SDK. Check Point researchers believe the developers were scammed to use this malicious SDK, unaware of its content, leading them to believe this campaign was not targeting a specific country.

How it works

Once the user downloads and installs one of the infected applications, 'SimBad' registers itself to the 'BOOT_COMPLETE' and 'USER_PRESENT' intents, which lets 'SimBad' perform actions after the device has finished booting, and while the user is using the device.

Following installation, SimBad connects to the designated command and control server, and receives a command to perform. The malware has capabilities divided into three groups: 'show ads', phishing and exposure to other applications. It also removes the application's icon from the launcher, making it harder for the user to uninstall.

With the capability to open a given URL in a browser, the attacker behind 'SimBad' can generate phishing pages for multiple platforms and open them in a browser, essentially performing spear-phishing attacks on the user.

Its ability to open market applications, such as Google Play and 9Apps, with a specific keyword search or even a single application's page, means the cyber criminal can gain exposure for other threat actors and increase his or her profits. The threat actor can also install a remote application from a designated server, allowing them to install new malware when needed.

To lower the chances of getting infected, users are advised to keep all software on all devices updated, and install a good anti-malware solution that blocks adware and other threats. They should also exercise basic security hygiene.

Have your say
Facebook icon
Youtube play icon