SimBad adware apps downloaded from Google Play nearly 150 million times

  • Liam Tung (CSO Online)
  • 14 March, 2019 06:05

Android users who’ve downloaded at least one of 210 hugely popular apps may have exposed their smartphones to adware that could become a much larger problem in the future. 

Researchers at Israeli cyber security firm Check Point have blown the whistle on a dodgy software development kit (SDK) that rendered hundreds of popular Android apps a threat to their users. 

Google has now removed the malicious apps from the Google Play app store but only after potentially millions of devices were infected. 

The SDK, a malicious advertising platform dubbed ‘RXDrioder’, allows apps that use it to receive harmful instructions form the domain      

Developers of the 210 affected apps most likely victims of the SDK as are the millions of users who installed the apps, which are mostly simulator games like “Snow Heavy Excavator Simulator”, an app with 10 million installs from Google Play. 

“We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer. The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games,” Check Point researchers said

Other popular simulator apps affected by the bad SDK with at least five million installs included Hoverboard Racing, Real Tractor Farming Simulator, Ambulance Rescure, Heavy Mountain Bus Simulator 2018, Fire Truck Emergency Driver, Farming Tractor Real Harvest Simulator, Car Parking Challenge, Speed Boat Jet Ski, Water Surfing Car Stunt, Offroad Wood Transport Truck Driver 2018, Volumen booster & Equalizer, Prado Parking Adventure, and Oil Tanker Transport Truck Driver. 

Users likely wouldn’t notice the malicious app since the malware instructs the device to remove the app icon from the device launcher, making it harder to uninstall the app while it displays ads in the background. 

Besides fraudulently distributing ads among infected devices, the malicious apps can generate phishing pages and then open them in a browser, lending itself to targeted phishing attacks against specific users. 

Should SimBad’s owners choose, they also have the option to remotely install other apps and open a web page in a browser. 

The cyber security firm also exposed an SDK that has been used a dozen apps distributed in China outside of Google Play on Tencent MyApp, Wandoujia, Huawei App Store, and Xiaomi App Store. 

The apps had been downloaded an estimated 111 million times, accordion to Check Point, and are the first known example of of malicious apps that bypass the Android sandbox to install malicious apps.