Adware campaign spreads on Android app stores ( Feb 12, 2015 )


A phone is not limited to just making and receiving calls anymore, a standard smartphone today contains enough features and applications (apps) to replace a computer for light day-to-day tasks. The app ecosystem can make or break the smartphones of the current generation, every major smartphone Operating System comes with its own app-store. Google Play is probably the largest and safest place to get apps from for an Android smartphone. Even though all apps on the Play store are scanned for malicious content, there are instances when some malicious apps sneak by and infect a user’s device.

Dell SonicWALL Threats Research team received reports of some apps from Google Play which were infecting users who downloaded them. These apps pose as utility applications like flash light but they are advertisement campaigns that constantly bombard the user with ads.

Google uses a service, codenamed Bouncer, which scans the apps on the Play store for malicious behavior. But the analysis is more towards static analysis, as a result some apps that download the malicious content after waiting for a particular period pass through this scrutiny. Recently Google introduced a component that scans the apps installed on the user’s device that Verifies whether the apps are behaving in the expected manner. But this comes into effect only after the apps are installed on the device so in some cases it might be very late, regardless we can expect this service to grow better with time and further strengthen the core Android security related to applications running on the device.

Android Ice Cream Sandwich (4.0 to 4.0.4) had verify apps in Settings > Security and Google Settings > Security. The latest version Android Lollipop (5.0 to 5.1) has this setting only in Google Settings > Security. It is possible that this feature will be integrated into the OS as a default option in future releases.

As of 2014 there around 1.3 million apps for the Android ecosystem. Apart from the Play store there are a number of non-Google app stores from which you can download apps but it may not always be safe. Google recommends that apps be downloaded only from the trusted Play Store.

The package names for the apps we checked are:

  • com.keloidscaretissue.Quxicompass
  • com.keloidscaretissue.QuxiFlashlisht
  • com.flashlightcompass.wedoourbest
  • com.keloidscaretissue.puzzle2048
  • com.onlygoodcompass.wedoourbest

These apps are no longer available on the Google Play store and other popular alternate stores:

But there are still some alternate stores that are providing these apps:

When applications as simple as a flashlight, compass and a puzzle game request for permissions as below it raises suspicion about the real motives of these applications:

  • Read and write to external storage
  • Access camera
  • Read contacts
  • Process outgoing calls

Upon installing the Flashlight app it appeared to work, but after a while the icon for the app disappeared from the app drawer. To the user this app appears to be not working and no longer present on the phone, but there are background services that continue to keep running. This behavior is common for all the 5 apps listed above, hence they have been dubbed as HideIcon by researchers.

The Flashlight app gets a text file called CDN.txt from that contains a list of Android app package names. There are a number of virustotal reports indicating malicious files have the link present in them. The phone is then bombarded by advertisements at an alarming rate. The ads are typically for different applications and there is no set pattern of the type of these applications. During our analysis we observed ads for games, popular services like Uber and Social Networking applications like PalTalk. We observed the following ways in which ads are displayed to the user:

  • Play store is opened with install page for an application:
  • The screen is covered with an image for the advertisement with download links. The image has a ‘close’ button which can be used to close the ad, but sometimes it does not have one and the user is forced to click a prompted button. There is a chance that the ad may cover the screen without a way to close it:
  • There are small button overlays on not only Play Store but also general applications like the Chrome browser. If clicked, the user is taken to the download page:

Overall, these apps pose as utility applications but are in fact advertisement campaigns and they mar the users Android experience by constantly bombarding on-screen advertisements. While it is recommended to download apps only from the Play store, it would be beneficial if users are notified when an app they downloaded is being removed from the store. This would protect existing users of the apps instead of protecting only potential new users as it currently stands.

However this case highlights the need to download apps only from the Play Store as Google constantly checks and analyzes for malicious behavior of apps and if it finds something malicious then the said app is taken down. A similar take-down on other non-Google stores usually takes time to reflect, similar to the current case, and this time gap may be all that is needed for one to get his/her phone infected.

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: AndroidOS.HideIcon.QC (Trojan)
  • GAV: AndroidOS.HideIcon.FL_2 (Trojan)
  • GAV: AndroidOS.HideIcon.PZ (Trojan)
  • GAV: AndroidOS.Hideicon.FL (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.