Aggressive adware – on music, photo editing and fitness apps – just won’t go away, convincing users to install more apps.
Using Avast’s mobile threat intelligence platform, apklab.io, we discovered 50 adware apps on the Google Play Store. The installations of the apps range from 5K to 5M installations. The adware can be very annoying as it persistently displays full screen ads, and in some cases, tries to convince the user to install further apps.
The adware applications are linked together by the use of third party Android libraries which bypass the background service restrictions present in newer Android versions. Although the bypassing itself is not explicitly forbidden on Play Store, Avast detects it as Android:Agent-SEB [PUP], because apps using these libraries waste the user’s battery and make the device slower. The applications in this article used the libraries to keep displaying more and more ads to the user, which is against Play Store rules.
We are referring to the adware based on these libraries as “TsSdk”, because the term was found in the first version of the adware.
The adware was installed 30 million times before being removed from Google Play Store, Avast research found. We have cooperated with Google, and all of the samples were removed from the Play Store before the release of this article.
Using apklab.io, we found two versions of TsSdk on the Play Store so far, all linked together by the same code. Below you will find descriptions for both of them, from the oldest to the newest versions of the adware.
The oldest version of TsSdk, which we will refer to as “version A” was installed 3.6 million times. The apps containing the adware were simple games, fitness, and photo editing apps.
Version A was most often installed in India, Indonesia, Philippines, Pakistan, Bangladesh and Nepal.
Above, an example of one of the apps containing TsSDK.
Once installed, most of the apps containing version A appear to work as advertised in their Google Play pages, but come with a nasty, extra surprise: shortcuts to the apps, as well as a game center are added to the home screen, and full screen ads are shown to the user when they turn the screen on. In some variants of version A, ads are also shown periodically when the user is using the device. Here is a video showing this.
Version A is not very well obfuscated and the adware SDK is easy to spot in the code. It is also the less prevalent of the two versions. Some variants of version A also contain code that downloads further applications, prompting the user to install them.
The most interesting aspect of version A is that most samples also added a shortcut to a “Game Center” on the infected device’s home screen, which opens a page advertising different games: http://h5games.top/.
It’s interesting because the name “H5GameCenter” was also part of the Cosiloon preinstalled malware we reported last year. Are these two somehow linked together? We aren’t sure. There could be a relationship between the two, or perhaps the Game Center developers bought advertising in both Cosiloon and TsSdk.
The second oldest version of TsSdk, which we will refer to as “version B” was installed nearly 28 million times. The adware was included in fitness and music apps.
Version B was most often installed in the Philippines, India, Indonesia, Malaysia, Brazil, Nepal and Great Britain.
It seems like the developers of the adware put a little more effort into version B, as it appears newer and its code is better protected. The adware code is encrypted using the Tencent packer, which is rather hard to unpack by analysts, but is easily captured during dynamic analysis in apklab.io.
We haven’t managed to make version B display ads on our devices because it carries out several checks before it actually deploys the full-screen ad functionality. First and foremost, the adware is only triggered if the user installs the app by clicking on a Facebook ad. The application can detect this using a Facebook SDK feature called “deferred deep linking”.
We weren’t presented with the ads on Facebook, but rather sought the infected apps out on the Play Store, so the ads were not shown.
It also only shows ads within the first four hours of the app being installed and then much less frequently. From the code, we know that within the first four hours, full screen ads are displayed randomly when the phone is unlocked or every 15 minutes, at 15 minutes, 30 minutes and 45 minutes after the hour - the last time included in the code is a bit funny, apparently an hour has at least 61 minutes, wherever the developer lives (it should have read :00):
Version B doesn’t seem to work on Android version 8.0 and above because of changes in the background service management in these newer Android releases. However, nearly 80% of devices are running older Android versions at the time of writing.
Although we didn’t manage to trigger ads on our test devices, the code is clearly set-up to show intrusive ads and the reviews don’t leave much room for interpretation:
Due to the number of samples, we’ve only selected the latest APK from each app and put them into this spreadsheet.
Screenshots from Google Play Store and the Facebook pages are available here.
Please note that many Version A apps were on Play Store before, but Google removed them before our research was complete, including the 1M+ installs Pro Piczoo app.
Install a trustworthy antivirus app. Antivirus acts as a safety net and can protect you from adware.
Exercise caution when downloading apps. Read app reviews before installing a new app, carefully reading both positive and negative reviews. Notice if reviewers comment on whether or not the app does what it says it will do. If an app’s review includes comments like “this app doesn’t do what it promises” or “this app is packed with adware,” - think twice about downloading the app! Reviews like this are a sign that something isn’t right.
Always carefully check app permissions, closely looking to see if they make sense. Granting incorrect permissions can send sensitive data to cybercriminals, including information such as contacts stored on the device, media files and insights into personal chats. If anything seems out of the ordinary or beyond what seems appropriate, the app should not be downloaded.
Avast Threat Intelligence has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.