New Adware With Destructive Capabilities Infects Over 200 Google Play Store Apps

Attendees stand in front of the Google Play booth during the Tokyo Game Show 2018 on September 20, 2018 in Chiba, Japan.
Photo: Getty

Researchers have uncovered a new adware strain that, until recently, was running rampant on the Google Play Store. More than 200 applications are said to have carried the malware.

In a post Wednesday, Israeli security firm Check Point said applications known to contain this particular adware strain—dubbed “SimBad”—had been downloaded almost 150 million times, primarily by gamers.

Advertisement

“We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer,” the company said. “The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.”

The apps are no longer available for download, Gizmodo has confirmed.

Check Point said the malware resides inside an apparently widely used advertising software development kit (SDK) provided by ‘addroider[.]com’. Once installed, SimBad receives instructions from a command and control server, such as an order to make its icon disappear in an effort to make the app harder to remove. It then begins to display background ads and can open any URL in the phone’s browser.

Advertisement

“With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user,” said Check Point. “The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.”

The researchers noted that while SimBad appears geared toward serving ads for now, it has the infrastructure to evolve into “a much larger threat.”

Advertisement
Screenshot: Check Point

A complete list of the infected applications can be found here.

As a Wired report detailed back in 2017, hackers have found some ingenuous ways to circumvent the scanners intended to keep malware off Google Play’s shelves. One of the top methods includes the delayed execution of malicious code. The company’s efforts to get ahead of the problem often fall flat.

Advertisement

Two months ago, its detection systems were bypassed by a batch of 85 apps that, by the time Google was able to delete them, had infected some 9 million users. Just a few days earlier, users in 196 countries were infected by a slew of apps capable of accessing contact lists and SMS messages and even recording audio.

One issue, highlighted by ZDNet in January, seems to be that it becomes easier for malware distributors to evade Google once their apps gain a respectable number of downloads and appear to be safe.

Advertisement

“Usually Google enforce more stringent checks for new apps,” Trend Micro’s Bharat Mistry told the site. “But as updates are made to the app over time and they are proven not to be malicious from the offset, the level of checking may be reduced.”

Share This Story

About the author

Dell Cameron

Privacy, security, tech policy | Got a tip? Email: dell@gizmodo.com | Send me encrypted texts using Signal: (202)556-0846

EmailTwitterPosts
PGP Fingerprint: A70D 517E FB9A 02C9 C56E 86D5 877E 64E7 10DF A8AEPGP Key
OTR Fingerprint: 2374A8EA 6D2B7712 0D82D659 C0FE8253 A3F080FD