Millions hit by major Android-based malware campaigns

Dozens of 'innocent' apps are being infected through the development supply chain

Researchers have outlined two separate malicious campaigns that have collectively infected more than 200 Android apps that have surpassed the 250 million download milestone. 

Both campaigns, which centre on adware and data-scraping respectively, are targeting Android users only, and have infected a host of applications by fooling developers into using malicious software development kits (SDKs).

Advertisement - Article continues below

The more prominent campaign of the two, dubbed 'SimBad' because it primarily affects simulation games, has infected 206 apps which have been downloaded a combined 150 million times, according to Check Point Research.

The malware itself lives in the ad-related 'RXDroider' SDK, provided by 'addroider.com' and adopted by a swathe of developers.

Once the user downloads and installs one of the infected apps, SimBad registers itself to the device and is allowed to perform actions autonomously. After installation, the malware then connects with the command and control server to receive orders. These may range from opening a browser with a given URL to removing the app icon from the launcher.

The app's three-pronged capabilities include showing ads, opening phishing pages, and exposing users to other applications. The attackers are also able to install a remote application from a designated server, allowing them to further infect users with malware at their discretion.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"With the capabilities of showing out-of-scope ads, exposing the user to other applications, and opening a URL in a browser," the researchers said, "'SimBad' acts now as an Adware, but already has the infrastructure to evolve into a much larger threat."

CheckPoint Research also outlined 'Operation Sheep' in a second report yesterday. This involves a group of Android apps harvesting contact information from users' phones on a mass scale without their consent.

This malware has similarly been loaded in an SDK built for data analytics, and has been seen in up to 12 different Android apps to date. These have been collectively downloaded over 111 million times.

The SWAnlaytics SDK has been integrated into a dozen seemingly innocuous Android apps published on third-party Chinese app stores such as the Huawei App Store, Xioami App Store and Tencent MyApp.

The researchers first encountered a sample of the infection in September 2018, and have traced a data-scraping path that leads to servers owned by Shun Wang Technologies. Once the malicious apps are installed, entire contact lists are uploaded to the firm's servers, according to Check Point Research.

Advertisement - Article continues below

They also noted in the Tencent MyApp store alone, eight of 12 infected apps collectively amassed 111 million downloads.

"In theory," the researchers speculated, "Shun Wang Technologies could have collected a third of China's population names and contact numbers if not more."

They added with no clear declaration of data usage form Shun Wang, nor regulatory supervision, data could easily be traded within underground markets and abused in a variety of ways. These may range from rogue marketing to friend referral program abuse.

"Compared to financial data and government-issued ID document information, personal contact information is often treated as less sensitive data," the researchers said.

"According to popular belief, it requires extra effort to exploit such data while potential profits do not match a hacker's effort. Hence it is unlikely to be targeted.

"However, the landscape is changing with deep specialization in underground markets and new "business models" available to profit from such personal contact data."

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020
BlackRock banking Trojan targets Android apps
trojans

BlackRock banking Trojan targets Android apps

27 Jul 2020
Election officials are vulnerable to phishing attacks, report warns
phishing

Election officials are vulnerable to phishing attacks, report warns

27 Jul 2020

Most Popular

How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020
Why it’s time to expand beyond 16:9 monitors
Advertisement Feature

Why it’s time to expand beyond 16:9 monitors

21 Jul 2020