Wandera’s threat research team has discovered seven apps on the Google Play Store which contain dropper malware. The dropper apps are designed to download and install APKs from a GitHub repository, essentially opening a backdoor on the device for any new application functionality to be installed. In the case of the seven apps, the APKs being installed include adware, a form of malware that violates the policies of the Google Play Store.

The apps that are retrieved from GitHub deliver an aggressive, out-of-app ad experience that drain device battery and consume excessive amounts of mobile data. These adware APKs are (1) not present on the Google Play Store, and (2) are being installed as separate functioning apps.

Dropper app functionality

In an effort to evade detection by security researchers and malware detection agents, the dropper apps wait after the initial start-up before sending a request to GitHub, the software hosting service. A GitHub URL is embedded in the code of the dropper app, but it’s obfuscated to prevent the URL string from being flagged by any human analysis or app store security checks.

The server responds with an obfuscated JSON message that contains configuration data for the dropper app and additional URLs, which point to the location of the adware APK. Once the malicious payload is downloaded from the hosting service, the dropper apps initiate an install process.

Adware APK functionality

Once installed by the dropper, the adware APKs wait approximately 10 minutes before initiating malicious functionality. Then they display fullscreen video ads, outside of the app, without any user interaction.

The ads are highly intrusive, overlaying other applications and are shown anytime the device screen is unlocked. If the screen is turned off and no passcode is set up, the adware activates the ad in set intervals, turns on the screen, and plays the video ads until the user realizes and closes them. If the device has a passcode configured, the adware activates the ad and turns on the screen but cannot bypass the passcode to display the video ads; this results in CPU spikes and battery consumption with no visual cues presented to the user.

Because the adware can self-execute without user interaction and because the video ads require manual dismissal, this adware can have a serious effect on device battery life and data consumption. Especially if this happens when the device is in a victim’s bag or pocket for hours playing video ads without being noticed.

While this adware is a nuisance, the biggest concern is that the attacker may at any time replace the adware APKs with much more serious malware types and deliver those to the affected devices.

Google Play Store violation

In this discovery, there are two types of malware involved. The apps identified on the Google Play Store are classified as dropper malware and violate the terms of the Google Play Store outlined under ‘malicious behavior’.

“An app distributed via Google Play may not modify, replace, or update itself using any method other than Google Play’s update mechanism. Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play.”

Additionally, the adware APKs pulled down by the droppers are classified as adware and violate the terms of the Google Play Store outlined under ‘disruptive ads’.

“Ads must only be displayed within the app serving them. We consider ads served in your app as part of your app … Interstitial ads may only be displayed inside of the app serving them.”

Research process

The seven apps outlined in this document were discovered during research occurring during the second half of 2019. The initial discovery by Wandera included only three dropper apps published by a developer registered as iSoft LLC. Those apps were removed from the Google Play store shortly after discovery.

Following the initial discovery, Wandera threat labs continued to monitor both Google Play and the GitHub repository.

Wandera researchers then discovered that two more developers registered as PumpApp and LizotMitis had published apps on Google Play with the same malicious functionality observed in the iSoft dropper apps. These new developers have a total of four infected apps (two each) that are still active at the time of this writing.

On GitHub, the attacker was frequently updating the files that were hosted in their Github repository.

Wandera notified GitHub of the adware APKs being hosted in the repository and reported the dropper apps to Google Play when this new series of apps emerged with the same dropper code.

What are the dropper apps?

The seven dropper apps have been published by three different developer accounts and collectively have approximately 11,000 downloads according to Google Play. Note: the apps published under iSoft LLC were removed from Google Play in October. The others are still live at the time of writing.

Developer: PumpApp
Apps:

Developer: LizotMitis
Apps:

Developer: iSoft LLC
Apps (all have been removed):

Remediation

Wandera customers are protected from the payload since Wandera is able to detect sideloading (APK download from 3rd party) and reject the APK download. Users just need to uninstall the dropper app.

We recommend that users with these apps installed find both the dropper apps and payload apps and uninstall them manually from the device.

App names and package names of the payloads found on GitHub repository below:

  • Flashlight (adware) – com.shasha.flashlight
  • Calculator (no malicious behavior observed) – com.shasha.calculator
  • BassBooster (adware) – com.shasha.music.equalizer
  • Calculator (adware) – com.shasha.supercaculator
  • Calculator (adware) – com.applecheng.calculator2
  • Flashlight (adware) – com.applecheng.flashlight2

For the latest news on mobile threats, sign up to our newsletter