SimBad: A Rogue Adware Campaign On Google Play

Research by: Elena Root and Andrey Polkovnichenko

Check Point researchers from the Mobile Threat Team have discovered a new adware campaign on the Google Play Store. This particular strain of Adware was found in 206 applications, and the combined download count has reached almost 150 million. Google was swiftly notified and removed the infected applications from the Google Play Store.

Inside the SDK

The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘addroider[.]com’ as an ad-related SDK. We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer. The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.

The Infection Chain

Once the user downloads and installs one of the infected applications, ‘SimBad’ registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents, which lets ‘SimBad’ to perform actions after the device has finished booting and while the user is using his device respectively.

After installation, the malware connects to the designated Command and Control (C&C) server, and receives a command to perform. ‘SimBad’ comes with a respected list of capabilities on the user’s device, such as removing the icon from the launcher, thus making it harder for the user to uninstall, start to display background ads and open a browser with a given URL.

Fig 1: A list of the possible commands from the C&C server

Fig 2: Code that hides the application’s Icon to make it harder to remove

Fig 3: The code that starts the background ads

What Does SimBad Do?

‘SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.

With the capability to open market applications, such as Google Play and 9Apps, with a specific keyword search or even a single application’s page, the actor can gain exposure for other threat actors and increase his profits. The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.

Fig 4: An illustration of the attack vector

The C&C Server

The C&C server observed in this campaign is ‘www[.]addroider.com’. This server runs an instance of ‘Parse Server’ (source on GitHub), an open source version of the Parse Backend infrastructure, which is a model for providing web app and mobile app developers with a way to link their applications to backend cloud storage and APIs exposed by back-end applications, while also providing features such as user management, push notifications and more.

The domain ‘addroider[.]com’ was registered via GoDaddy, and uses privacy protection service. While accessing the domain from a browser you get a login page very similar to other malware panels. The ‘Register’ and ‘Sign Up’ links are broken and ‘redirects’ the user back to the login page.

Fig 5: The login page of the domain

Fig 6: The WhoIS information on RiskIQ’s PassiveTotal

According to RiskIQ’s PassiveTotal, the domain expired 7 months ago. As a result, it may be that are looking into a compromised, parked domain that was initially used legitimately, but is now participating in malicious activities.

Our Take

With the capabilities of showing out-of-scope ads, exposing the user to other applications, and opening a URL in a browser, ‘SimBad’ acts now as an Adware, but already has the infrastructure to evolve into a much larger threat.

Appendix 1 – List of Infected Applications: