Bitdefender researchers recently found 17 Google Play apps that, once installed, start hiding their presence on the user’s device and constantly display aggressive ads. While not malicious per se, the tactics they use to smuggle themselves into Google Play and dodge Google’s vetting system are traditionally associated with malware.
Waiting 48 hours before hiding their presence on the device, splitting the app’s code into multiple resource files, and holding off displaying ads until 4 hours after app installation are among the tactics these developers use to plant their apps onto Google Play.
With over 550,000 downloads in total, the apps found have flown below the radar of Google’s vetting system mostly because they also delivered on their promise: they do what they say they do.
At the time of writing, Google has been notified and the reported apps are being taken offline.
The Promise of Adrenaline
The description for one of the apps analyzed involves enticing users with a racing simulator that also offers in-app payments for extra in-game features.
While the gaming part works just fine, the app shows popup ads when the user is not playing the game and hides for some time following the installation. The ads are displayed at random time intervals, making it hard for users to recognize a pattern of when ads are shown.
Under the Hood
The app comes with a second component found in an archive from the assets directory. Interestingly, the malicious code resides in the first component, the second one being the actual game code. The second dex (component) and the libraries used by the game are extracted from the archive identified in the assets directory.
In terms of registered receivers, the first one is for android.intent.action.BOOT_COMPLETED. When the broadcast is received, the app will begin an activity, which starts a job scheduler for showing ads. The scheduled service starts after 10 minutes and shows an ad only once. The scheduler recreates itself by calling the method from the activity that created it initially, then starts again after 10 minutes.
Another receiver the app registers is for android.intent.action.USER_PRESENT. Whenever the user unlocks the device, if at least 4 hours have passed since the app installed it, there is a chance an ad will show. That’s because the ad displays are programmed by generating a random number of less than 3 that is checked against a value. If the number generated is equal to the check number, an ad appears. Therefore, the probability of displaying ads is once every three times the user unlocks the phone.
Users see multiple ads either in-game when pressing different buttons or even if not in the app. The frequency at which ads appear while in the game depends on a random value. In half the cases, there is a probability that when using some game functionalities, an ad pop ups.
The ad-showing mechanisms are scattered around the application, within multiple activities, and using modified adware SDKs. The randomness of ad occurrences and display time intervals is modified by the developer to decrease the likelihood of users noticing any patterns.
The adware SDK key identifiers are set in a config file within the assets directory and retrieved when showing ads. In the config file, there are parameters for customizing how often ad-displaying services should be recreated. The config file also contains a flag stating if the app should hide its presence on the device or not, a flag that is set to true by default.
Some versions of the app have the “hide icon flag” under a different name:
Mechanisms for Dodging Google Play
One method for the app to dodge Google Play checks is by waiting 48 hours to hide. The code is also split in two dex files, making it difficult for security researchers to grasp the logic of the app. Another technique used is to manipulate the broadcast receiver for android.intent.action.USER_PRESENT to display ads only after 4 hours following installation.
The app also comes with game-related .so files that are not used. These library files are common in Android games, as they provide fast graphics rendering on a mobile environment with limited resources. What is interesting here is that the game actually uses the other .so files found in an archive within the assets directory, despite already having them in the lib directory. This could be a mechanism intended to make the app give the impression of being an average game, while its main purpose is to aggressively display ads.
Other Versions, Same Reviews
In other versions, including versions that were at some point on Google Play, requests to the ad web sites also contain sensitive information about the user, such as phone model, IMEI, IP address, MAC address, and location information. Some apps have no second dex and have all the functionality in the initial one.
Some users that have tried the apps left reviews that raised warning signs about the apps’ behavior. While some users were irked that they couldn’t even play the game because of full screen ads, other complained of battery drainage and accurately identified an app’s dubious hiding behavior after installation.
Fool me … 17 times
The methods described above to dodge Google’s vetting system seem to have been put to good use, as Bitdefender researchers have identified 17 other apps that share the same practices. While the creators’ and applications’ names are different, they all share the same features in terms of hiding their existence and displaying ads.
While the Google Play apps found are not tagged as malware, but more as Riskware, users are strongly encouraged to always have a security solution installed on their devices, as it can accurately identify these apps and prevent users from installing them. Whether downloaded from official or third-party marketplaces, a mobile security solution will keep users safe from malware, riskware, or other potentially malicious apps as well as phishing or fraudulent websites.
Bitdefender identifies the found samples using the following detections: Android.Riskware.HiddenAds.HH, Android.Riskware.HiddenApp.AX, Android.Riskware.HiddenApp.HU.
All found versions:
Note: The information in this article was made available courtesy of Alexandra Bocereg, Junior Security Researcher, Bitdefender.