The developers of 210 mobile applications found on the Google Play Store were apparently tricked into building their programs using a malicious software developer kit that secretly implanted adware in their apps.
The apps, many of which were packaged as driving or racing simulator games, were downloaded nearly 150 million times by Android device users, according to a new blog post from researchers at Check Point Software Technologies.
Dubbed SimBad, the adware was discovered within the RXDrioder Software Development Kit, which bills itself as an ad-related SDK. “We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer,” according to a company blog post written by researchers Elena Root and Andrey Polkovnichenko.
Examples of the compromised applications include Snow Heavy Excavator simulator (with roughly 10 million installations), Ambulance Rescue Driving, Car Parking Challenge and Offroad Wood Transport Truck Driver. Upon being informed of the problem, Google quickly removed the offending programs from the Play Store, Check Point says.
“Once the user downloads and installs one of the infected applications, ‘SimBad’ registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents, which lets ‘SimBad’ to perform actions after the device has finished booting and while the user is using his device respectively,” the blog post reports. This allows Simbad to accept various commands from its C2 server, including commands to display out-of-scope background ads, open a URL in a browser and remove the app icon from the launcher.
With such capabilities, SimBad is able to generate and open up spear phishing pages, open market apps like Google Play and 9Apps to promote specific apps, or even install a remote application.
“With the capabilities of showing out-of-scope ads, exposing the user to other applications, and opening a URL in a browser, ‘SimBad’ acts now as an adware, but already has the infrastructure to evolve into a much larger threat,” the report warns.