March 14, 2019 at
There is ongoing speculation that almost 150 million Android phone users who installed an app may be facing a malware attack. Unknowingly to them, the app contained adware known as SimBad. This adware appeared in the form of an advert kit -RXDrioder which the apps use to control adverts on the user’s device.
However, ZDNet received a contrary Intel on the 13th of March, 2019 from Check Point- Isreali cyber-security. According to them, the people behind RXDrioder were using the kit’s code as camouflage for malware. Once a user downloads the app, the malware will hijack the device and show advertisements to enrich the makers.
On why it was on Play Store
Check Point thought that the makers deceived app developers into using the malicious SDK. Since they wouldn’t have known what it contains, they introduced it innocently. Their reason for making such an assumption is that the malware was not the handiwork of one developer. Also, they noticed that it was not targeting any particular country. The company during its sweep discovered the adware inside 210 apps on the Google Play Store. Unfortunately, they also identified up to 150 million who have downloaded it unknowingly. The update about the affected apps revealed that they were mostly a shooter and racing games.
Further, on RXDrioder kit, Check Point stated that there were many sneaky features that shouldn’t appear in an SDK. For instance, the adware may hide an icon of a particular app to prevent users from uninstalling it. This tactic is common amongst Android malware, and this one is not an exception.
Check Point is also saying that the people behind SimBad have used SDK advertising feature inappropriately for secret profits. The worst part is that the malicious crew can manipulate each of the apps with the RXDrioder SDK by sending instructions to them. If they achieve this, they can control these apps without permission from the real developers.
More Implications of the malware
According to what Check Point says, this malware is not only overlaying ads; they can cause other damages to users. For instance, they can force a browser on the device to open a URL showing more adverts. They could also open 9Apps and Google Play Store and cause a user to participate in monetization schemes.
The truth is that Check Point also unearthed other feature in the code. For instance, the malware could install an app without a user’s knowledge or show specific notifications. As at the time of the Intel, Google has removed the tainted apps from the play store.
According to Check Point’s Research and Development Manager Jonathan Shimonovich, Google reacted very fast to the discovery. They spent only a few weeks to investigate all the apps and remove the ones that had the malware. Check Point also published a list containing the tainted apps showing package name, the app name and number of installations.
The reach of the malware was large, and as such, it is ranking high amongst other adware infestations on Play store. The only consolation is that there is no link between SimBad to other popular adware such as the hummingbird, etc. So it is likely that this malware is still new.