CheckPoint found SimBad, a rogue adware campaign on Google Play with almost 150 million download count

SimBad adware

Image: CheckPoint

According to the latest report from security firm CheckPoint, more than 200 apps in the Google Play Store are infected with malicious ad code that called SimBad. Further analysis found that this could cause devices to force advertisements outside the app, direct users to certain websites and app store links, and even download new apps. After submitting a malware report to Google, Google has removed them from the store. But according to the statistics of the Play Store, it has been cumulatively downloaded nearly 150 million times.

Image: CheckPoint

It is reported that by hiding malicious code, publishers disguised this software as legitimate adware. But if you think they will only advertise, it is a big mistake.

Once the user downloads and installs one of the infected applications, ‘SimBad’ registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents, which lets ‘SimBad’ to perform actions after the device has finished booting and while the user is using his device respectively.

After installation, the malware connects to the designated Command and Control (C&C) server, and receives a command to perform. ‘SimBad’ comes with a respected list of capabilities on the user’s device, such as removing the icon from the launcher, thus making it harder for the user to uninstall, start to display background ads and open a browser with a given URL.

‘SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.

As a platform, Google should have taken the responsibility of app review, but it is clearly not as strict and thorough as the App Store. SimBad even seduces users to download more apps in the form of pornographic ads or abuse system privileges, hijack devices, and use them for distributed denial of service (DDoS) attacks.

Recalling last year, Google claimed that it had made “significant progress” in detecting problematic apps, being able to intercept and remove 99% of harmful apps before installation.

But the existence of SimBad shows that this offensive and defensive battle has never ended. To give Android users secure access to the Play Store, Google obviously has a lot to do.