Malware Displaying Porn Ads Discovered in Game Apps on Google Play

Research By: Elena Root & Bogdan Melnykov

Check Point Researchers have revealed a new and nasty malicious code on Google Play Store that hides itself inside around 60 game apps, several of which are intended to be used by children. According to Google Play’s data, the apps has so far been downloaded between 3 million and 7 million times.

How It Works

Dubbed ‘AdultSwine’, these malicious apps wreak havoc in three possible ways:

Displaying ads from the web that are often highly inappropriate and pornographic. Attempting to trick users into installing fake ‘security apps’. Inducing users to register to premium services at the user’s expense.

Apart from these current three main activities, the malicious code can use its infrastructure to broaden its goals to other purposes, such as credential theft.

Figure 1: AdultSwine operation flow

Once the malicious app is installed on the device, it waits for a boot to occur or for a user to unlock his screen, upon which it initiates its malicious activity.

Illegitimate and Inappropriate Ads

First, the malicious code contacts its Command and Control server (C&C) to report the successful installation, sends data about the infected device and then receives the configurations, which determine its course of operation. These configurations instruct it on whether to hide its icon (to encumber removal), which ads to display, over which apps and on what terms. It is interesting to note that the server however forbids ads to be displayed over certain apps such as browsers and social networks, in order to avoid suspicion.

The malicious code then verifies certain conditions regarding the device’s status and checks which app is currently running on screen. Once all its terms are met, it begins to display the illegitimate ads outside of the app’s context. If it is embedded inside a web browser app the ads will be displayed inside that browser, if not they will be displayed inside a designated web view.

As for the ads being displayed, they come from two main sources; the first is that of the main ad providers, which forbid such illegitimate display of their ads. The second is the malicious code’s own ad library, which contains ads of an offensive nature, including pornographic ads. All these are displayed to children while playing the game that the app is masquerading as.

Below is a mild example of the ads presented and a comment from one of the victims, whose son had an unfortunate experience.

Figure 2: Examples of ad displayed and user reviews on Google Play

Scareware – Deceptive App Install Tactics

Another course of action the malicious app pursues is scaring users into installing unnecessary and even harmful “security” apps.

First, the malicious app displays an ad that claims the user’s device is infected by a virus. Should the user press the notification of “Remove Virus Now” he is redirected to an app in the Google Play Store with a somewhat questionable connection to virus removal. An experienced eye could easily foresee this tactic, though a child playing a game app is easy prey for such nefarious apps.

Figure 3 – Left image: Scareware Ad Displayed

Centre image: The redirect ‘anti-virus’ app in Google Play.

Right image: User reviews in Google Play

Registering To Premium Services

Another technique used by the malicious app is registering to premium services and charging the victim’s account for fraudulent premium services they did not request to send or receive. In a similar way to the scareware tactic seen above, the malicious app initially displays a pop-up ad, which attempts to persuade the user to click through.

This time however, the ad claims that the user is entitled to win an iPhone by simply answering four short questions. Should the user answer them, the malicious code informs the user that he has been successful, and asks him to enter his phone number to receive the prize. Once entered, the malicious code then uses this number to register to premium services.

The flow is presented in the images below.

Notification of Winning the iPhone Request to Enter Phone Number

A Comprehensive Threat

Although for now this malicious app seems to be a nasty nuisance, and most certainly damaging on both an emotional and financial level, it nevertheless also has a potentially much wider range of malicious activities that it can pursue, all relying on the same common concept.

The malicious code simply receives a target link from its Command and Control server and displays it to the user. While in some cases this link is merely an advertisement, it could also lead to whatever social engineering scheme the hacker has in mind.

Indeed, these plots continue to be effective even today, especially when they originate in apps downloaded from trusted sources such as Google Play.

Appendix 1 – List of App Names

App Name Minimum Downloads Maximum Downloads Five Nights Survival Craft 1,000,000 5,000,000 Mcqueen Car Racing Game 500,000 1,000,000 Addon Pixelmon for MCPE 500,000 1,000,000 CoolCraft PE 100,000 500,000 Exploration Pro WorldCraft 100,000 500,000 Draw Kawaii 100,000 500,000 San Andreas City Craft 100,000 500,000 Subway Banana Run Surf 100,000 500,000 Exploration Lite : Wintercraft 100,000 500,000 Addon GTA for Minecraft PE 100,000 500,000 Addon Sponge Bob for MCPE 100,000 500,000 Drawing Lessons Angry Birds 50,000 100,000 Temple Crash Jungle Bandicoot 50,000 100,000 Drawing Lessons Lego Star Wars 50,000 100,000 Drawing Lessons Chibi 50,000 100,000 Girls Exploration Lite 10,000 50,000 Drawing Lessons Subway Surfers 10,000 50,000 Paw Puppy Run Subway Surf 10,000 50,000 Flash Slither Skin IO 10,000 50,000 Invisible Slither Skin IO 10,000 50,000 Drawing Lessons Lego Ninjago 10,000 50,000 Drawing Lessons Lego Chima 5,000 10,000 Temple Bandicoot Jungle Run 1,000 5,000 Blockcraft 3D 1,000 5,000 Jungle Survival Craft 1.0 1,000 5,000 Easy Draw Octonauts 1,000 5,000 halloweenskinsforminecraft 1,000 5,000 skinsyoutubersmineworld 1,000 5,000 youtubersskins 1,000 5,000 DiadelosMuertos 500 1,000 Draw X-Men 500 1,000 Moviesskinsforminecraft 500 1,000 Virtual Family – Baby Craft 500 1,000 Mine Craft Slither Skin IO 500 1,000 Guide Clash IO 100 500 Invisible Skin for Slither IO app 100 500 Zombie Island Craft Survival 100 500 HalloweenMakeUp 100 500 ThanksgivingDay 100 500 ThanksgivingDay2 100 500 Jurassic Survival Craft Game 100 500 Players Unknown Battle Ground 100 500 Subway Bendy Ink Machine Game 100 500 Shin Hero Boy Adventure Game 100 500 Temple Runner Castle Rush 100 500 Dragon Shell for Super Slither 100 500 Flash Skin for Slither IO app 50 100 AnimePictures 50 100 Pixel Survival – Zombie Apocalypse 50 100 Fire Skin for Slither IO app 10 50 San Andreas Gangster Crime 10 50 fidgetspinnerforminecraft 10 50 Stickman Fighter 2018 10 50 Subway Run Surf 10 50 Guide Vikings Hunters 10 50 Woody Pecker 10 50 Pack of Super Skins for Slither 10 50 Spinner Toy for Slither 10 50 How to Draw Coco and The Land of the Dead 10 50 How to Draw Dangerous Snakes and Lizards Species 1 5 How to Draw Real Monster Trucks and Cars 1 5 How to Draw Animal World of The Nut Job 2 1 5 How to Draw Batman Legends in Lego Style 1 5



Appendix 2 – List of SHA256 hashes