Security News

Android Adware reappears on third party after being taken down from the Google play store

By

SonicWall Capture Labs Threat Research team has been observing Android adware that were available on the Google play store, they are now removed from the play store but are still being distributed via third-party platforms. Hidden Adware continuously shows advertisements, some of which contain download links and lead to false clicks, and users end up with unwanted applications.

Fig1:Application removed from  Google Play Store

 

Fig2: Malicious applications available on third-party store

 

Infection Cycle:

After installation, the application changes its icon to a blank icon without a name, making it difficult for the user to identify which application is showing advertisements.

Fig3: Application icon change

 

Here <activity-alias> is used to change to a blank icon from the original icon and then launch the same application to perform Adware activities as shown in the below code snippet.

Fig4: Use of activity alias tag

 

After installation, multiple advertisements start showing with a long waiting time to close and this is a recurring action.

Fig5: Multiple Advertisement

 

This adware pretends to be protecting from harmful applications and shows a constant message in the status bar to get the benefit of doubt and remains unidentified source of advertisement.

Fig6: Message in the status bar

 

Similarly to persuade as an optimizer application Adware shows a notification after every new application installation.

Fig7: Pop up after new application installation

 

Sensitive device information(IMEI number, location etc) accessed by adware is shown in below code snippet.

Fig8: Access device information

 

To check the resource utilization, we tested after the device factory reset and the battery usage as compared to other applications was very high due to a huge number of advertisements.

 

Fig9: Battery usage

 

The problem caused by Adware:

  • Difficult to identify and uninstall the application.
  • Due to intensive resource usage device speed goes down and applications start crashing.
  • The battery starts draining quickly.
  • Leads to high internet usage.

 

SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):

87fb25e1087b14c5da692667000f04615d90525277fcdc316ef7c6f0326c1bcf

b97b648b29f824a2abd3f84484249807ec00acb50d7aa914a059b34f6590a657

f68ca1129a5e57bdad18301100ee7a3f2ee3864362a9d939e78db09d8c10e6a2

87267d97fa3aa3eb55465021ad615ccf28b9f595053980f31ad804df49b2223c

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Wave of Zortob Backdoor Trojan discovered in the wild (Oct 18, 2013)
New Cridex variant from drive-by blackhole exploit (Aug 17, 2012)
Bublik, CyberGate, and Game of Thrones
Cyber Security News & Trends – 10-26-18
Novell GroupWise Internet Agent Content-Type BO (Nov 18, 2010)
Squid Proxy ESI Component Buffer Overflow (May 6,2016)
Cacti Command Injection Vulnerability
Yahos Worm Spreading in the Wild (Aug 12, 2010)