Just Android things: 150m phones, gadgets installed 'adware-ridden' mobe simulator games

Devs may have been duped into using dodgy SDK, tut-tuts infosec biz


Android adware found its way into as many as 150 million devices – after it was stashed inside a large number of those bizarre viral mundane job simulation games, we're told.

The so-called Simbad malware was built into mobile gaming titles such as Real Tractor Farming Simulator, Heavy Mountain Bus Simulator 2018, and Snow Heavy Excavator Simulator, according to infosec research biz Check Point today.

Each of those named apps had more than five million installs at the time the research was carried out, with Snow Heavy Excavator Simulator having been downloaded more than 10 million times. In total the malware was found in 210 seemingly legitimate apps, which have now been pulled from the Google Play store.

Although researchers believed that the titles were legitimate, they said they thought the devs were “scammed” into using a “malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific country or developed by the same developer.”

Once installed, the malicious Simbad SDK phones home and starts embedding itself on the user device to prevent removal, and would start fetching and displaying ads to generate revenue. Anti-removal techniques it uses include “removing the icon from the launcher,” displaying background ads during normal phone usage, and forcing the device’s browser to open a given URL.

android

'Mummy, what's felching?' Tot gets smut served by Android app

READ MORE

“SimBad has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications,” said Check Point in its summary of the research. “With the capability to open a given URL in a browser, the actor behind SimBad can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.”

The malware’s command and control server runs an off-the-shelf install of Parse Server, an open source version of the Parse Backend mobile app infrastructure software.

With its capabilities including opening targeted URLs in the browser, something which could be used to present a user with a fake login page, Check Point noted that “already has the infrastructure to evolve into a much larger threat.”

So now people have to go through the list of applications and remove them to get rid of the malware, so get busy all you players of Beard mustache hairstyle changer Editor (over one million downloads amazingly).

Google should also take another look at its malware scanning systems. While the Chocolate Factory claims that its AI-powered code checkers booted out 700,000 malicious apps in 2017, it's clear the ad giant is still asleep at the switch. ®

Similar topics


Other stories you might like

  • Google Pixel 6, 6 Pro Android 12 smartphone launch marred by shopping cart crashes

    Chocolate Factory talks up Tensor mobile SoC, Titan M2 security chip ... for those who can get them

    Google held a virtual event on Tuesday to introduce its latest Android phones, the Pixel 6 and 6 Pro, which are based on a Google-designed Tensor system-on-a-chip (SoC).

    "We're getting the most out of leading edge hardware and software, and AI," said Rick Osterloh, SVP of devices and services at Google. "The brains of our new Pixel lineup is Google Tensor, a mobile system on a chip that we designed specifically around our ambient computing vision and Google's work in AI."

    This latest Tensor SoC has dual Arm Cortex-X1 CPU cores running at 2.8GHz to handle application threads that need a lot of oomph, two Cortex-A76 cores at 2.25GHz for more modest workloads, and four 1.8GHz workhorse Cortex-A55 cores for lighter, less-energy-intensive tasks.

    Continue reading
  • BlackMatter ransomware gang will target agriculture for its next harvest – Uncle Sam

    What was that about hackable tractors?

    The US CISA cybersecurity agency has warned that the Darkside ransomware gang, aka BlackMatter, has been targeting American food and agriculture businesses – and urges security pros to be on the lookout for indicators of compromise.

    Well known in Western infosec circles for causing the shutdown of the US Colonial Pipeline, Darkside's apparent rebranding as BlackMatter after promising to go away for good in the wake of the pipeline hack hasn't slowed their criminal extortion down at all.

    "Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory," said the agencies in an alert published on the CISA website.

    Continue reading
  • It's heeere: Node.js 17 is out – but not for production use, says dev team

    EcmaScript 6 modules will not stop growing use of Node, claims chair of Technical Steering Committee

    Node.js 17 is out, loaded with OpenSSL 3 and other new features, but it is not intended for use in production – and the promotion for Node.js 16 to an LTS release, expected soon, may be more important to most developers.

    The release cycle is based on six-monthly major versions, with only the even numbers becoming LTS (long term support) editions. The rule is that a new even-numbered release becomes LTS six months later. All releases get six months of support. This means that Node.js 17 is primarily for testing and experimentation, but also that Node.js 16 (released in April) is about to become LTS. New features in 16 included version 9.0 of the V8 JavaScript engine and prebuilt Apple silicon binaries.

    "We put together the LTS release process almost five years ago, it works quite well in that we're balancing [the fact] that some people want the latest, others prefer to have things be stable… when we go LTS," Red Hat's Michael Dawson, chair of the Node.js Technical Steering Committee, told The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2021