Check Point discovers SimBad and SWAnalytics, two Android-based SDK malware
Check Point has discovered the existence of two new Android malware. SimBad has infected 206 apps downloaded from a total of 150 million users. SWAnalytics has affected only 12 but have already been downloaded 111 million times.
Fans of simulation games on Android found a nasty surprise: 206 apps, including Ambulance Rescue Driving, Farming Tractor Real Harvest Simulator, Fire Truck Emergency Driver, were suffering from an annoying adware, SimBad, and downloaded 150 million times before Google was able to remove them.
SimBad, a popular adware via SDK
How is it possible that on a controlled store like Google’s, up to 206 apps from different manufacturers can end up, all containing the same adware? Check Point indicates the solution, which has discovered how all these apps had in common the use of the same SDK, RXDrioder, which deals with managing advertisements within the app.
Probably many had relied on this particular Software Development Kit because it offered advantageous conditions compared to the competition. Too bad it contained an adware called SimBad that hammers users with continuous advertising screens even outside the app, constantly opening PlayStore on specific pages (thus spreading like wildfire) and making the browser redirect to advertising sites.
That’s enough? Maybe. SimBad is so treacherous that it hides the startup icons, so as to prevent the uninstallation of the infected apps, and automatically downloads other apps in the form of an APK, still asking the user for permission to install them.
Once one of the infected apps is installed, SimBad is activated and contacts the C&C server (Command & Control) from which it receives the following instructions. The purpose of the malware is to monetize showing bursts of ads, even outside the app, but the fact that it could also redirect the terminal’s browser to specific web addresses indicates that it can be used for phishing attacks. The possibility to force the download of APK and ask for the installation to the user also opens the way for the installation of remote control software.
Google has already deleted all the apps infected by the store. The complete list of affected apps is available here.
SWAnalytics, the Chinese malware for Android that steals contacts
The only thing that SWAnalytics and SimBad have in common is that both have been conveyed into ” legitimate ” apps via SDK, so without the developers knowledge. For the rest, these are two completely different types of malware.
SimBad aims for easy gain by submitting the advertising user while SWAnalytics is more subtle and silently subtracts the emails of all contacts on the phonebook, which are then sent to a server.
SWAnalytics has spread only on the Chinese Play Store and has been tracked down in just 12 apps that have been downloaded in total 111 million times. At least in theory, he could have collected contact information from a third of the Chinese population.