If the prevalence of abusive Google Play apps has left you numb, this latest report is for you. Carefully concealed adware installed in Google-approved apps with more than 440 million installations was so aggressive that it rendered mobile devices nearly unusable, researchers from mobile security provider Lookout said Tuesday.
BeiTaAd, as the adware is known, is a plugin that Lookout says it found hidden in emojis keyboard TouchPal and 237 other applications, all of which were published by Shanghai, China-based CooTek. Together, the 238 unique apps had a combined 440 million installs. Once installed, the apps initially behaved normally. Then, after a delay of anywhere between 24 hours and 14 days, the obfuscated BeiTaAd plugin would begin delivering what are known as out-of-app ads. These ads appeared on users' lock screens and triggered audio and video at seemingly random times or even when a phone was asleep.
"My wife is having the exact same issue," one person reported in November in this thread discussing BeiTaAd. "This will bring up random ads in the middle of phone calls, when her alarm clock goes off or anytime she uses any other function on her phone. We are unable to find any other information on this. It is extremely annoying and almost [makes] her phone unusable."
Lookout's post said the developers responsible for the 238 apps went to great lengths to conceal the plugin. Early versions of the apps incorporated it as an unencrypted dex file named
beita.renc inside the
assets/components directory. The renaming had the effect of making it harder for users to know the file was responsible for executing code.
Later, app developers renamed the plugin to the more opaque
icon-icomoon-gemini.renc and encrypted it using the Advanced Encryption Standard. The developers then obfuscated the decryption key within the code through a series of functions buried in a package named
com.android.utils.hades.sdk. In later versions still, developers used a third-party library called StringFog, which used XOR– and base64-based encoding to hide every instance of the string "BeiTa" in the files.
"All of the applications we analyzed that contained the BeiTaAd plugin were published by CooTek, and all CooTek apps we analyzed contained the plugin," Kristina Balaam, a security intelligence engineer at Lookout, wrote in an email. "The developer also went to great lengths to hide the plugin's presence in the app, suggesting that they may have been aware of the problematic nature of this SDK. However, we cannot attribute BeiTa to CooTek with complete certainty."
Ars has asked representatives from both CooTek and Google to cRead More – Source