One of the most common ways to spread Android malware, including malware found on the official Google Play Store, is by masquerading as a legitimate popular application. The last such example that we blogged about on WeLiveSecurity was a fake Dubsmash app and Android/TrojanDropper.Mapin compromising tens of thousands of users’ devices. In order to help make Google Play a safer place for Android users, ESET continues to monitor the official Android app market for malicious or potentially unwanted applications.
Another threat that has also been installed more than 200,000 times, having been available on Google Play for more than a month. The apps posed as Cheats for Pou, Guide For SubWay and Cheats For Subway, claiming to offer the same application functionality in apps. The payload of these applications was to deliver ads to users at regular intervals.
While ad-supported applications are common in the Android ecosystem, there’s a clear boundary of behaviors that ESET cannot condone. These particular AdDisplay PUAs contain specialized self-protection functionality not only to make the removal of the malware from the Android device more difficult, but also to evade detection by Google Bouncer in the first place.
When users realize that the apps display very unusual behavior and try to uninstall them: it will not be easy, because they ask the users to activate the Devices administrator rights. Thus, users might have a few problems with removing this AdDisplay threat. This AdDisplay also uses an interesting anti-bouncer technique to evade being blocked by the Bouncer filter before it is released on Google Play.
These unwanted applications were removed from the Google Store after we notified Google of the problem. ESET’s security software detects this unwanted application as Android/AdDisplay.Cheastom.
Analysis
When analyzed, AdDisplay.Cheastom turns out to be an unusual type of infiltration from more than one point of view. The app requests Device administrator rights so it is not simple for users to uninstall it from the device. After activation it will try to detect whether it is executed in an emulator or from Google’s servers (Bouncer). The anti-Bouncer technique used by this AdDisplay is rather interesting. It will obtain the IP address of the device and check the IP’s WHOIS record. If the information returned contains the string ‘Google’, then it assumes that it is running in Bouncer. It’s (most probably) an interesting anti-Bouncer technique, although we’re unsure how big a role it actually played in getting by the Google’s defenses. If the app detects an emulator or Bouncer environment, then the actual payload (displaying of ads) won’t be initiated. Instead, the app will continue with apparently innocuous behavior: game cheats will be displayed, as expected.
In the applications we discovered (‘cheats for Pou’ and ‘Cheats for Subway’) are similar in functionality and even in the cheats they display. In fact, the malware authors were so lazy that instead of showing Pou cheats in Cheats for Pou, the app displays cheats for Subway Surfers. Based on that, we can assume that showing cheats wasn’t main intention of the developer.
If a virtual environment was not detected by the apps, then they will set a scheduler for showing a full screen advertisement every 30 or 40 minutes. The functionality for displaying ads in cycles will start anyway, even if executed in an emulated environment, after the device is rebooted. After reboot full screen ads are shown each 45 minutes.
After an elapsed period of time, the applications make sure the device is connected to the internet. If it is, it asks the attacker’s server whether ads should be displayed.
Getting rid of Android/AdDisplay.Cheastom
Uninstalling this application can be very difficult, as many users have mentioned in reviews. The application requests Device administrator rights and can hide its own launch icon. The device user can find these apps in the application list, but it is not possible to uninstall them. When the user wants to remove these applications he, has to deactivate Device administrator before he can uninstall them.
If you are using ESET Mobile Security software on your device, it will deactivate Device administrator and uninstall this threat for you, but first you need to have activated detection of Potentially Unwanted Applications from Advanced Settings. You can turn on this feature from Antivirus -> Advanced Settings -> Detect Potentially Unwanted Applications.
If you do not have security software installed, then you can deactivate and uninstall the PUA manually. The device user can apply this method not only to these apps, but to every non-system application he considers suspicious.
After deactivating Device administrator, applications can be uninstalled by going to Settings -> Apps/Application manager -> Cheats for Pou/Cheats For Subway/Guid For SubWay.
Conclusion
These applications were designed to display advertisements, hiding themselves behind cheats for famous, heavily-downloaded applications. The interesting techniques used by these PUAs probably help them to slip by Google’s store security filter, Bouncer. The apps’ malicious payload wasn’t activated if they detected it was running in an emulator, or on an IP address linked with Google’s WHOIS information. As a second technique for staying under the radar, the malware behaved innocuously, unless the C&C server instructed the bot to display ads. This is one example when even an AdDisplay Potentially Unwanted Application could be very annoying and hard to uninstall from a device.
More information
[su_box title=”About ESET” style=”noise” box_color=”#336588″]ESET is a pioneer of proactive protection against cyber threats with its award-winning NOD32 technology. Daily, it protects over 100 million computers, laptops, smartphones, tablets and servers, no matter the operating system. ESET solutions for home and business segment deliver a continual and consistent level of protection against a vast array of existing and emerging threats.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.