Up to 150 million users have probably downloaded and installed an Android app that includes a new Android malware called SimBad. According to an analysis by the Israeli security provider Check Point, the malicious software hides in an advertising kit called RXDrioder – developers who use the tool to show ads in their apps probably do not know they’re being misused for malware distribution.
The advertising kit is supposed to allow programmers to control the insertion of ads in their apps. However, the code should have used the provider of RXDrioder to inject malicious code. This, in turn, ensures that not selected by the app developer but by the RXDrioder makers selected ads to appear in the app and thus the advertising revenue flow there.
The malicious advertising kit was found by Check Point researchers in 210 Android apps distributed through the Google Play Store. Together, the apps were downloaded by nearly 150 million users. Most apps were racing games and shooter games.
The backers of SimBad were able to use the injected malicious code to control the RXDrioder SDK built into their apps remotely and behind the backs of the actual app developers. This allowed them to use legitimate functions of the SDK for their own purposes. In addition, Check Point found in the Software Development Kit (SDK) functions that are not needed for the display of advertising. For example, it is possible to hide the icon of an app in the app drawer to prevent uninstalling.
First and foremost, however, cybercriminals should have their own ads displayed over legitimate in-app advertising. In addition, they should have displayed more online advertising in the browser of the smartphone user. Another feature of the RXDrioder SDK is to open the Play Store or Marketplace 9Apps and trick users into installing certain apps. In addition, SimBad can obtain apps from predefined servers and install behind the back of the user.
In the meantime, all apps that use the RXDrioder SDK have been removed from the Play Store. Google checked the apps within a few weeks and then deleted them. An overview of all affected apps can be found in the check-point blog.