One of the most common ways to spread malware and infected Android applications on the official Google Play store is masquerading as popular legitimate applications. The latest example of this type we examined was a mobile application for Android dubsmash false and / TrojanDropper.Mapin applications, affecting tens of thousands of devices. Google Play to be a safer place Android users, ESET continues to monitor its official application market looking for those potentially malicious or unwanted.
This led to the discovery of another threat in Google Play, so far it was downloaded more than 200 000 times. This malware is passed by Cheats for Pou, Guide For SubWay and Cheats For Subway, and claims to offer tips for games; his payload is to send users to advertising messages at regular intervals.
Although mobile advertising applications are very common in the Android ecosystem, there is a clear limit behaviors that ESET You can not ignore. These applications AdDisplay potentially unwanted in particular contain a specialized self-protection feature that not only serves to hinder the elimination of malware in the Android device, but it is also designed for evade initial detection filter Bouncer Google.
When users realize that the application behaves in a very unusual way and try to uninstall it, it is very difficult, because the program asks you to activate the administrator rights devices. It also uses a technique “antibouncer” to evade Bouncer lock program, which filters before publishing applications in Google Play.
Application ‘cheats for Pou’ malicious downloaded from Google Play Store
Application ‘Cheats For Subway’ malicious downloaded from Google Play Store
Application ‘Guide For SubWay’ malicious downloaded from Google Play Store
When we notify the problem to Google, He took these unwanted applications from Google Play store. The ESET security software detects the unwanted application as Android / AdDisplay.Cheastom
Analysis:. When WHOIS returns the string “Google” not advertising
is displayed When analyzing the threat, AdDisplay.Cheastom proved a rather unusual type of infiltration in several respects. The mobile application asks devices administrator rights, so Uninstall is not simple for the user. After activation, first try to detect whether they are running on an emulator or on servers of Google (with Bouncer program).
Technical antibouncer that uses this AdDisplay is quite interesting . Gets the IP address of the device and checks on the WHOIS record. If the information returned contains the string “Google” assumes that are running on Bouncer. Probably a tactic to evade Bouncer filter, we do not know with certainty the role to go through the defenses of Google inadvertently. If the application detects that it is running in an emulation environment or Bouncer, payload does not start (no ads are shown). By contrast, the application continues with a seemingly harmless behavior. shows the tricks games, as promised
Applications discovered (‘cheats for Pou’ and ‘Cheats for Subway ‘) have similar functionality; even the tricks shown are similar. In fact, the authors of malware were so vague that instead of showing tricks Pou Pou Cheats for the application redisplays the tricks to Subway Surfers . Consequently, we can assume that the main intention was not to show developer tricks for games
This is the list of tricks shown.
If mobile applications do not detect any virtual environment, establish a scheduled task to display a full screen advertising every 30 or 40 minutes. However, the functionality to display ads on cycles will start anyway after restarting the device, even when the application is running in an emulated environment. After reboot full screen ads shown every 45 minutes.
After a period of time, applications verify that the device is Internet connection . If connected, asks the server if the attacker must show ads.
Communication with the
How to get rid of Android server / AdDisplay.Cheastom
The removal of this application can be very difficult as many users commented as requested devices administrator rights and is able to hide its own icon Start. The device user can find it in the list of apps, but you can not uninstall it from there. To do this, you must first disable the device manager
If you have installed ESET Mobile Security on your device will disable the device manager and uninstall the threat.; but this must first be activated Detection potentially unwanted applications in the Advanced settings of the program. You can enable this functionality from Antivirus – & gt; Advanced Settings – & gt; detect potentially unwanted applications
Detection potentially unwanted application
If you have no software security installed, you can disable and uninstall the potentially unwanted application manually. This method can be applied not only in this case but in all applications that do not belong to the system and considered suspicious.
After disable Device Manager, you can uninstall applications from Settings – & gt; Application Manager – & gt; Cheats for Pou / Cheats For Subway / Cheats For SubWay .
Conclusion
These applications were designed to display advertisements and posing as tips for many popular games downloads. We think the interesting techniques used by these applications potentially unwanted helped evade the security filter Bouncer the Google Play store.
payload malicious mobile applications is not activated if it detects that it is running on an emulator or a linked information in the WHOIS data of Google IP address. As a tactic second to stay under the radar, the malware harmlessly behaves , unless your server C & C tells the bot to start showing ads. This is an example of a potentially unwanted application AdDisplay very annoying and difficult to remove the device.
More information
| package name | MD5 | ESET detection |
|---|---|---|
| com.Pou.cheats.coins.money | 0F30507207EF166A0939EA625FD79088 | Android / AdDisplay.Cheastom.A |
| com.SubWay.cheats. Keys.Coins.Money.Surfers | AA9F18CD5FCB2761CD83AFB1820B660F | Android / AdDisplay.Cheastom.A |
| com.sub.Gold.way.Money.Guid.apk | 5AA29495194113C39F1D34B0D49F9F52 | Android / AdDisplay.Cheastom.A |
Author Lukas Stefanko, ESET
No comments:
Post a Comment