Adware Apps Booted from Google Play

More than a dozen apps were booted from the Google Play store Wednesday after researchers discovered each were rip-offs of legitimate apps and designed to aggressively push ads on Android devices.

Researchers from Zscaler spotted the rogue apps and said the crooks behind the software tried to trick users into giving the app administrative privileges. That gave bad guys the ability to pelt Android users with fullscreen ads, open browser links, launch YouTube videos, open apps installed on the phone, and place shortcut URLs on the home screen of devices.

A sample of the apps includes games, a photo editor, QR barcode scanner and a compass. Four of the apps were downloaded between 10,000 to 50,000 times. “After a primary analysis of these apps, we confirmed that they do not have any features that require critical device administration privileges,” wrote Gaurav Shinde, Android security researcher with Zscaler.

Shinde said most of the apps it examined used pirated code from legitimate apps. For example, one app with the package name com.ndk.taskkiller is a pirated version of the legitimate app called “Battery Saver HD and Task Killer.”

The pirated apps were identical to those copied with the exception of malicious code that allows the app to communicate with the developer’s command and control server. “Upon successful installation, these apps will communicate with a preconfigured Command and Control (C2) server and act in accordance with C2 directions,” Shinde said.

The initial command from the C2 is a request for administrative privileges. In order to coax users into granting access the app generates a bogus Android settings menu where victims are enticed to grant the app device admin privileges under the guise of activating a “Plus Service.”

“Once the user grants device admin privileges to the app, the app cannot be uninstalled until the user withdraws admin privileges for this app,” Shinde wrote.

With the elevated privileges, the app is capable of displaying ads, opening browser links or driving traffic to YouTube videos to generate ad revenue.

To get past Google’s various protections that bar bad apps from the Google Play store, Zscaler said developers injected the malicious packages inside Android’s genuine package for Google Mobile Services (GMS).

“The location of injected code is interesting. The com.google.android.gms package is Android’s genuine package for Google Mobile Services (GMS),” Shinde wrote. “In this case, a package named ‘logs’ is injected inside the GMS packages to evade detection.”

All the strings in the code were obfuscated. “The encryption technique leveraged here is trivial but served its purpose. After decrypting all the strings, the de-obfuscated code revealed the secrets hidden within,” said Shinde.

One of those secrets included the creation of a dex file that when executed plays a specific YouTube video and generates ad revenue for the video’s author. A .dex file (Dalivk Executables) is a compiled version of Android program. The functionality of downloading and executing .dex files allows these adware apps to execute arbitrary code pushed by C2 server, explained Deepen Desai, senior director of research and operations at Zscaler.

“It’s notable that this dex file is not embedded in the original app, but is downloaded at runtime. This means that the app developer can change the code of secondlib.dex at any time and it will be executed on the user’s device without requiring the user to update the app,” the researcher noted.

Obfuscation of the apps’ malicious intent also included suppressing the adware component for the first six hours after installation. Researchers believe this was an attempt to bypass Google’s VerifyApps scanner, which executes an app for few minutes and analyzes its behavior before publishing the app on the Google Play store.

Another obfuscation technique is instructions from the command and control server to hide and unhide the app’s icon. This helps the perpetrator avoid user suspicions over the app.

“The app’s icon is only hidden if the app is not used for five days. In most cases, if an average user does not open an app for five days, after which the app icon is concealed, the user will probably have no idea where those annoying ads are coming from and is unlikely to suspect the now-hidden app,” the report said.

Google did not reply to Threatpost requests for comment for this story.

Desai said the apps were removed from Google Play about 24 hours after first showing up. Promotion of the apps was limited to Google Play with the exception of a viral video on YouTube.

“We found a YouTube video for game ‘Eighth Note Jump’, which is going viral from last month. In the description of that video, the uploader has given a download link which points to one of the malicious app,” Desai said.