Mobile Menace Monday: despicable adware

Credit to Author: Gleb Malygin| Date: Mon, 16 Oct 2017 17:00:16 +0000

Are you wondering how that mysterious icon ended up on your Android phone’s start screen? Annoyed at the ads clogging your notification bar? You aren’t alone. Thousands of Android apps now include software that shoves marketing icons onto your phone’s start screen or pushes advertising into your notification bar. These apps give you no warning about the adware invasion.

Even though many of these ads come from different mobile marketing companies, all have the same goal—to make money. Working with app developers hungry for some way to make money themselves, these marketing companies will do anything to make a buck. So they’ll bundle popular apps with adware and bombard millions of users with advertising each week.

Introduction to adware

So what, exactly, does adware do? Adware such as Startapp is a subcategory of Potentially Unwanted Programs (PUPs), which are apps or other types of software that you likely didn’t want installed on your computer, either because they hid their true nature or because they came bundled with other wanted programs. So if you download a popular app that comes bundled with adware, you may be in for a less-than-pleasant experience.

Once adware hijacks your device, it might carry out all sorts of unwanted tasks. For example, it could display questionable advertising content as icons, notification messages in the device interface, or pop-up messages. It might also change your browser front page or default search engine. It doesn’t matter whether you are using Chrome, Firefox, or other browsers: It affects all of them.

Let’s take as an example an app called Qr Code And Barcode Reader, which was once available on the Google Play market, but has now been removed. Qr Code marketed itself as a simple barcode reader, but hiding in plain sight was adware.

As discussed in our blog Mobile Menace Monday: Implications of Google Play Protect, Google Play is not impenetrable. In fact, during the time of this writing, two new types of Adware were found in Google Play; Adware.Solid and Adware.Cootek. This is probably why the Qr Code app was available on the market in the first place. So let’s pretend we found this app in Google Play and decided to install it.

First evidence

When you first install Qr Code, it will ask you for device admin permissions without any note of why it needs these rights. If you’re a discerning user, this first piece of evidence may lead you to certain conclusions about the legality of the application itself. However, most people would probably take a quick glance and hit “activate” in order to get the app they were looking for.

Once you select “activate,” you give the app full access to the phone. This is when the app launches its evil plan to load and show ads directly on the home screen. We can explicitly observe this from logcat, a tool used to view real-time system messages on an Android device.

 Logcat evidence 

09-03 07:55:29.961 589-701/system_process I/ActivityManager: START u0 {flg=0x14000000 cmp=com.studiobit.qr.code.and.reader.v2.v2/com.studiobit.qr.code.and.reader.v2.AdvertisementActivity} from uid 10064 on display 0
09-03 07:55:29.972 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 W/GooglePlayServicesUtil: Google Play Store is missing.
09-03 07:55:29.973 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 I/Ads: Starting ad request.
09-03 07:55:29.973 1445-1445/com.studiobit.qr.code.and.reader.v2.v2 I/Ads: Use AdRequest.Builder.addTestDevice(“7C6CCED8FF697C98BEAA38D05BG347D4”) to get test ads on this device.
09-03 07:55:30.500 589-610/system_process I/ActivityManager: Displayed com.studiobit.qr.code.and.reader.v2.v2/com.studiobit.qr.code.and.reader.v2.AdvertisementActivity: +532ms

Scalpel, clamp

If you want to find the smoking gun, a technically savvy person would check the manifest file, where you can see that permissions and activities, services, and receivers are in the list associated with Adware.Startapp—thus without any doubt we can say that this Qr Code app has adware components inside.

Activity:
android:name="com.startapp.android.publish.ads.list3d.List3DActivity"
android:name="com.startapp.android.publish.adsCommon.activities.OverlayActivity"
android:name="com.startapp.android.publish.adsCommon.activities.FullScreenActivity"
Service:
android:name="com.startapp.android.publish.common.metaData.PeriodicMetaDataService"
android:name="com.startapp.android.publish.common.metaData.InfoEventService"
Receiver:
android:name="com.startapp.android.publish.common.metaData.BootCompleteListener"

Methodology

Now we know Qr Code is certainly delivering adware. But in which way? There are many methods of displaying ads, including banners, splash ads, and exit ads. Qr Code uses Interstitial Callback methods.

Interstitial ads are full-screen ads that cover the interface of their host app. They typically appear between natural transition points in the flow of an app, such as between activities or during the pause between levels in a game. When an app shows an interstitial ad, the user has the choice to either tap on the ad and continue to its destination or close it and return to the app.

  • Callback method when Interstitial Ad is loaded:
startAppAds.loadAd(new AdEventListener()
  • Callback method when Interstitial Ad is shown:
startAppAds.showAd(new AdDisplayListener()

 

intrusive ad

This type of ad is disruptive, sometimes difficult to close, and often results in a frustrating user experience.

But what you need to keep in mind when faced with adware is that, despite being incredibly bothersome, it is generally not malicious. There’s a significant difference between adware and dangerous malware such as Trojans or ransomware. Therefore, there’s no need to worry or panic: your device is not under imminent threat.

In fact, many mobile applications that are free of charge often include third-party advertising content. This is done as an alternative form of revenue for the software developers, as a result of not charging users for the application itself. Sometimes using these apps outweighs the inconvenience of having adverts displayed. It’s up to you to decide what you’ll put up with in exchange for keeping the application installed.

However, in our opinion, adware does more harm than good, and you shouldn’t have to put up with overbearing pop-ups in order to enjoy an app. (Malwarebytes for Android will detect adware and remove it if you choose.) So next time you download an app, take a hard look at what it includes. If adware is present, you might do better to choose another one!

The post Mobile Menace Monday: despicable adware appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/