Researchers have uncovered a new adware strain that, until recently, was running rampant on the Google Play Store. More than 200 applications are said to have carried the malware.
In a post Wednesday, Israeli security firm Check Point said applications known to contain this particular adware strain—dubbed “SimBad”—had been downloaded almost 150 million times, primarily by gamers.
“We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer,” the company said. “The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.”
The apps are no longer available for download, Gizmodo has confirmed.
Check Point said the malware resides inside an apparently widely used advertising software development kit (SDK) provided by ‘addroider[.]com’. Once installed, SimBad receives instructions from a command and control server, such as an order to make its icon disappear in an effort to make the app harder to remove. It then begins to display background ads and can open any URL in the phone’s browser.
“With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user,” said Check Point. “The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.”
The researchers noted that while SimBad appears geared toward serving ads for now, it has the infrastructure to evolve into “a much larger threat.”
A complete list of the infected applications can be found here.
As a Wired report detailed back in 2017, hackers have found some ingenuous ways to circumvent the scanners intended to keep malware off Google Play’s shelves. One of the top methods includes the delayed execution of malicious code. The company’s efforts to get ahead of the problem often fall flat.
Two months ago, its detection systems were bypassed by a batch of 85 apps that, by the time Google was able to delete them, had infected some 9 million users. Just a few days earlier, users in 196 countries were infected by a slew of apps capable of accessing contact lists and SMS messages and even recording audio.
One issue, highlighted by ZDNet in January, seems to be that it becomes easier for malware distributors to evade Google once their apps gain a respectable number of downloads and appear to be safe.
“Usually Google enforce more stringent checks for new apps,” Trend Micro’s Bharat Mistry told the site. “But as updates are made to the app over time and they are proven not to be malicious from the offset, the level of checking may be reduced.”