Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Malicious SDK installs SimBad adware on apps downloaded millions of times

The developers of 210 mobile applications found on the Google Play Store were apparently tricked into building their programs using a malicious software developer kit that secretly implanted adware in their apps.

The apps, many of which were packaged as driving or racing simulator games, were downloaded nearly 150 million times by Android device users, according to a new blog post from researchers at Check Point Software Technologies.

Dubbed SimBad, the adware was discovered within the RXDrioder Software Development Kit, which bills itself as an ad-related SDK. "We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer," according to a company blog post written by researchers Elena Root and Andrey Polkovnichenko.

Examples of the compromised applications include Snow Heavy Excavator simulator (with roughly 10 million installations), Ambulance Rescue Driving, Car Parking Challenge and Offroad Wood Transport Truck Driver. Upon being informed of the problem, Google quickly removed the offending programs from the Play Store, Check Point says.

"Once the user downloads and installs one of the infected applications, ‘SimBad’ registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents, which lets ‘SimBad’ to perform actions after the device has finished booting and while the user is using his device respectively," the blog post reports. This allows Simbad to accept various commands from its C2 server, including commands to display out-of-scope background ads, open a URL in a browser and remove the app icon from the launcher.

With such capabilities, SimBad is able to generate and open up spear phishing pages, open market apps like Google Play and 9Apps to promote specific apps, or even install a remote application.

"With the capabilities of showing out-of-scope ads, exposing the user to other applications, and opening a URL in a browser, ‘SimBad’ acts now as an adware, but already has the infrastructure to evolve into a much larger threat," the report warns.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.