Dozens of applications available on Google Play were found delivering a strain of adware capable of collecting users’ personal information.
With these apps installed, users will have a full screen advertisement popping up at regular intervals even when the app is closed. For example:
The program then downloads another .dex file from cloud.api-restlet.com, which collects the following information from the user’s device:
Email address for Google account
List of apps installed
IMEI identifier and android_id
Manufacturer, model, brand, OS version
App installation source
To avoid detection, researchers also found XavirAd to use encrypted strings. Each class has its own decryption routine in the class constructor, and although the algorithm remains the same, the keys are different in each class.
Furthermore, the XavirAd library uses anti-sandbox technology to hide from dynamic analysis, stopping malicious behaviors once it detects it is running in a testing environment. It also checks the user’s email address for another safety net that it’s not run by a tester. If the email address contains the following strings, it will stop the action:
The following Google Play apps contain XavirAd, and users may want to avoid them: