Google Play Apps Found Serving Adware

Dozens of applications available on Google Play were found delivering a strain of adware capable of collecting users’ personal information.
With these apps installed, users will have a full screen advertisement popping up at regular intervals even when the app is closed. For example:
adware-popup
The program then downloads another .dex file from cloud.api-restlet.com, which collects the following information from the user’s device:

Email address for Google account
List of apps installed
IMEI identifier and android_id
Screen resolution
Manufacturer, model, brand, OS version
SIM operator
App installation source

To avoid detection, researchers also found XavirAd to use encrypted strings. Each class has its own decryption routine in the class constructor, and although the algorithm remains the same, the keys are different in each class.

Furthermore, the XavirAd library uses anti-sandbox technology to hide from dynamic analysis, stopping malicious behaviors once it detects it is running in a testing environment. It also checks the user’s email address for another safety net that it’s not run by a tester. If the email address contains the following strings, it will stop the action:
The following Google Play apps contain XavirAd, and users may want to avoid them:
apps-used-on-google-play

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>