Seventeen Android Nasties Spotted in Google Play, Total Over 550K Downloads

Bitdefender researchers recently found 17 Google Play apps that, once installed, start hiding their presence on the user’s device and constantly display aggressive ads. While not malicious per se, the tactics they use to smuggle themselves into Google Play and dodge Google’s vetting system are traditionally associated with malware.

Waiting
48 hours before hiding their presence on the device, splitting the app’s code
into multiple resource files, and holding off displaying ads until 4 hours after app installation are among
the tactics these developers use to plant their apps onto Google Play.

With
over 550,000 downloads in total, the apps found have flown below the radar of
Google’s vetting system mostly because they also delivered on their promise:
they do what they say they do.

At
the time of writing, Google has been notified and the reported apps are being
taken offline. 

The
Promise of Adrenaline

The
description for one of the apps analyzed involves enticing users with a racing
simulator that also offers in-app payments for extra in-game features.

While
the gaming part works just fine, the app shows popup ads when the user is not
playing the game and hides for some time following the installation. The ads
are displayed at random time intervals, making it hard for users to recognize a
pattern of when ads are shown.

Under
the Hood

The
app comes with a second component found in an archive from the assets
directory. Interestingly, the malicious code resides in the first component,
the second one being the actual game code. The second dex (component) and the
libraries used by the game are extracted from the archive identified in the
assets directory.

In
terms of registered receivers, the first one is for
android.intent.action.BOOT_COMPLETED. When the broadcast is received, the app
will begin an activity, which starts a job scheduler for showing ads.  The scheduled service starts after 10 minutes
and shows an ad only once. The scheduler recreates itself by calling the method
from the activity that created it initially, then starts again after 10
minutes.

Another
receiver the app registers is for android.intent.action.USER_PRESENT. Whenever
the user unlocks the device, if at least 4 hours have passed since the app
installed it, there is a chance an ad will show. That’s because the ad displays
are programmed by generating a random number of less than 3 that is checked
against a value. If the number generated is equal to the check number, an ad
appears. Therefore, the probability of displaying ads is once every three times
the user unlocks the phone.

Adware
SDKs

Users
see multiple ads either in-game when pressing different buttons or even if not
in the app. The frequency at which ads appear while in the game depends on a
random value. In half the cases, there is a probability that when using some
game functionalities, an ad pop ups.

The
ad-showing mechanisms are scattered around the application, within multiple
activities, and using modified adware SDKs. The randomness of ad occurrences
and display time intervals is modified by the developer to decrease the
likelihood of users noticing any patterns.

The
adware SDK key identifiers are set in a config file within the assets directory
and retrieved when showing ads. In the config file, there are parameters for
customizing how often ad-displaying services should be recreated. The config
file also contains a flag stating if the app should hide its presence on the
device or not, a flag that is set to true by default.

Some
versions of the app have the “hide icon flag” under a different name:

 Mechanisms
for Dodging Google Play

One
method for the app to dodge Google Play checks is by waiting 48 hours to hide.
The code is also split in two dex files, making it difficult for security
researchers to grasp the logic of the app. Another technique used is to
manipulate the broadcast receiver for android.intent.action.USER_PRESENT to
display ads only after 4 hours following installation.

The
app also comes with game-related .so files that are not used. These library
files are common in Android games, as they provide fast graphics rendering on a
mobile environment with limited resources. What is interesting here is that the
game actually uses the other .so files found in an archive within the assets
directory, despite already having them in the lib directory. This could be a
mechanism intended to make the app give the impression of being an average
game, while its main purpose is to aggressively display ads.

Other
Versions, Same Reviews

In
other versions, including versions that were at some point on Google Play,
requests to the ad web sites also contain sensitive information about the user,
such as phone model, IMEI, IP address, MAC address, and location information.
Some apps have no second dex and have all the functionality in the initial one.

Some
users that have tried the apps left reviews that raised warning signs about the
apps’ behavior. While some users were irked that they couldn’t even play the
game because of full screen ads, other complained of battery drainage and
accurately identified an app’s dubious hiding behavior after installation.

Fool
me … 17 times

The methods described above to dodge Google’s vetting system seem to have been put to good use, as Bitdefender researchers have identified 17 other apps that share the same practices. While the creators’ and applications’ names are different, they all share the same features in terms of hiding their existence and displaying ads.

Stay
Safe

While
the Google Play apps found are not tagged as malware, but more as Riskware,
users are strongly encouraged to always have a security solution installed on
their devices, as it can accurately identify these apps and prevent users from
installing them. Whether downloaded from official or third-party marketplaces,
a mobile security solution will keep users safe from malware, riskware, or other
potentially malicious apps as well as phishing or fraudulent websites.

Bitdefender
identifies the found samples using the following detections: Android.Riskware.HiddenAds.HH,
Android.Riskware.HiddenApp.AX, Android.Riskware.HiddenApp.HU.

All
found versions:

Note:
The information in this article was made available courtesy of Alexandra
Bocereg, Junior Security Researcher, Bitdefender.