Checkpoint Mobile Researchers have discovered a new Adware campaign on the Google Play Store, which it has dubbed “SimBad” due to the fact that a large portion of the infected applications are simulator games.
This particular strain of adware was found in 206 applications, and the combined download count reached almost 150-million.
Google was swiftly notified and removed the infected applications from the Google Play Store.
The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘addroider[.]com’ as an ad-related SDK.
Check Point believes the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer.
Once the user downloads and installs one of the infected applications, ‘SimBad’ registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents, which lets ‘SimBad’ to perform actions after the device has finished booting and while the user is using his device respectively.
After installation, the malware connects to the designated Command and Control (C&C) server, and receives a command to perform. ‘SimBad’ comes with a respected list of capabilities on the user’s device, such as removing the icon from the launcher, thus making it harder for the user to uninstall, start to display background ads and open a browser with a given URL.
SimBad has capabilities that can be divided into three groups: Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind SimBad can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.
With the capability to open market applications, such as Google Play and 9Apps, with a specific keyword search or even a single application’s page, the actor can gain exposure for other threat actors and increase his profits. The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.
The C&C server observed in this campaign is ‘www[.]addroider.com’. This server runs an instance of ‘Parse Server’ (source on GitHub), an open source version of the Parse Backend infrastructure, which is a model for providing web app and mobile app developers with a way to link their applications to backend cloud storage and APIs exposed by back-end applications, while also providing features such as user management, push notifications and more.
The domain ‘addroider[.]com’ was registered via GoDaddy, and uses privacy protection service. While accessing the domain from a browser you get a login page very similar to other malware panels. The ‘Register’ and ‘Sign Up’ links are broken and ‘redirects’ the user back to the login page.
According to RiskIQ’s PassiveTotal, the domain expired seven months ago. As a result, a compromised, parked domain that was initially used legitimately could now be participating in malicious activities.