Monday, November 25, 2024
HomeAdware206 Malicious Android Adware Apps Downloaded 150 Million Times from Google Play...

206 Malicious Android Adware Apps Downloaded 150 Million Times from Google Play Store

Published on

SimBad, a massive adware campaign discovered in Google playstore from more than 200 malicious apps that have been downloaded by nearly 150 million times.

Most of the Infected Malicious apps are belongs to simulator games category and these apps creating extremely annoying ads and displaying outside of the app which let users difficult to uninstall once it gets installed.

Malicious SDK (software development kit) “RXDrioder” played a major role in this campaign which utilizing by attackers to displaying a higher number of ads in order to generate more revenue.

- Advertisement - SIEM as a Service

Dubbed SimBad adware campaign was not particularly targeting any country and this SDK provided by ‘addroider[.]com’ who fooled developers to use it for app development.

According to checkpoint research, The app’s perform various malicious behavior including,

  1. Showing ads outside of the application, for example when the user unlocks their phone or uses other apps.
  2. Constantly opening Google Play or 9Apps Store and redirecting to another particular application, so the developer can profit from additional installations.
  3. Hiding its icon from the launcher in order to prevent uninstallation.
  4. Opening a web browser with links provided by the app developer.
  5. Downloading APK files and asking the user to install it.
  6. Searching a word provided by the app in Google Play.

SimBad Adware Infection Process

Once the Adware apps installed into the victims mobile, SimBad registers itself to make sure the installed app keeps running on the victims mobile whenever they boot or unlock the mobile.

SimBad later connect to the C&C Server in order to receive the commands from attackers to perform a various malicious operation such as removing the icon, making user harder to uninstall, pushing back round ads. “image”

According to Checkpoint, “SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.”



Observed C2 server is ‘addroider[.]com’ that is used to Parse Backend infrastructure, a model for providing web app and mobile app developers with a way to link their applications to backend cloud storage and APIs exposed by back-end applications.

This C2 server domain was registered in via GoDaddy and currently, this domain was expired 7 months ago According to RiskIQ’s PassiveTotal.

Also Learn: Certified Advanced Persistent Threat Analyst online course

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Beware !! #1 Adware Removal Mac Store App “Adware Doctor” Spying & Stealing Mac Users Sensitive Data

Beware !! #1 Adware Removal Mac Store App “Adware Doctor” Spying & Stealing Mac Users Sensitive Data

78,000 Fortnite Game Players Infected With Adware While Downloading Fortnite V-Bucks Hack

PythonBot- Dangerous Adware Install on Browser Extension & Bypass Security System

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...