Android adware that delays its advertisements


While examining adware applications for Android, in a number of cases these applications do not contain a working component that the user can use. Often these apps disappear from the app drawer after execution and continue to bombard advertisements on the device. SonicWall Capture Labs Threats Research Team received reports of an Android adware that contains adware components along with legitimate functionality that can fool the user into using the apps while it display ads after a delay in the background.

Infection Cycle

One of the applications we analyzed – Code QR – behaves like a vanilla QR code related app. It looks and feels like a legitimate app unlike other aggressive adware that do not contain working functionality:

But shortly after execution the app contacts and sends sensitive inforamtion like IMEI, MAC and IP address of the device:


On examining the domain we found something interesting, we discovered the following folders on this domain via directory traversal:

This hints that there are more apps under the categories car, clock, tv and clcb that communicate with this domain. More on this later.

Advertisements On The Device

The app sends a GET request as mentioned in the previous section to which it gets the following reply:

The interesting bit in the above exchange is the url – hxxp:// This same link is also present locally in the shared_prefs/<package_name>.xml file:

On opening this link we were redirected to different links like and, we saw the same links being randomly opened on the infected device at different times:


We did not see advertisements immediately but soon we began to see full screen advertisements on the device at regular intervals even after the app was closed. An interesting thing to note, the icon of the app disappears from the app drawer after a delay as well. This is contrary to most malware where the icon disappears immediately.

Some of the advertisements displayed were of the NSFW nature and some of these were location specific:


A Massive Network:

The URL mentioned above resolves to – hxxp:// VirusTotal graph shows this URL related to two more URL’s, we were redirected to one of these during our analysis:


The stats on show extremely high number of clicks for this link -7,076,798 clicks since its creation on December 6, 2019:


This shows the massive outreach of this campaign where this link was referred to by a number of different mediums –  highest being email, sms and direct clicking:



Connected Apps

As mentioned earlier in the blog, we found the possibility of multiple apps to be part of this campaign. On digging further we were able to identify two more apps that belong to this campaign:

  • Speed Racing 3D –
  • Big Fish – com.bigfish.clcbgames

The package names go in line with the folders we discovered on the domain

Overall this adware aims at executing its primary function – displaying ads – in a clever way. It lays low and performs the expected behavior initially. After some time it disappears and starts displaying ads in the background. This tactic helps it gain the initial trust from the user so as to avoid suspicion.


SonicWall Capture Labs provides protection against these threats with the following signatures:

  • AndroidOS.Adware.BT (Adware)
  • AndroidOS.HiddenApp.Ad (Adware)

Indicators Of Compromise (IOC’s):

    • 1250f1296c0e92112d554960d4f99710
    • 18e3acf23aa1062579b6e75d527425da
    • 8a4ae7046b293f155a5119af149ae8cf


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.