Google has removed 164 apps, downloaded a total of 10 million times, from its Google Play marketplace because they were delivering “disruptive” ads, considered malicious.
Last year, the tech giant banned apps that delivered this type of advertising, called out-of-context ads. But the problem continues to plague Google despite numerous efforts by the company to prevent “malicious developers” from submitting their apps to its Google Play marketplace.
Researchers discovered the offending apps mimicking legitimate apps to garner downloads, “only to then trick the user into seeing a whole bunch of unexpected ads,” researchers Gabi Cirlig, Michael Gethers, Lisa Gansky and Adam Sell wrote in a report published by WhiteOps Satori Threat Intelligence Team.
WhiteOps identified the 164 apps, calling them CopyCatz apps, because bulk of those identified attempted to mimic the functions of other popular apps – and spewed the obnoxious ads.
Beating Back the Tide of Bad Apps
Google has struggled with bad apps delivering adware and other malware on Google Play for years, and has made significant strides to prevent threat actors from sneaking their rogue apps on Google Play.
Last February, Google deleted 600 apps for displaying the same type of behavior as the latest raft of apps that were deleted, and subsequently banned them from the store. However, some threat actors didn’t get the memo and still have been able to sneak these type of apps through, Satori researchers found.
So called CopyCatz apps, which serve up out-of-context ads, bombard users with ads regardless of whether the host app is active or not. Typically, the ads are considered obnoxious and can often contain disingenuous marketing messages. The Satori team discovered 164 apps containing the underlying code capable of displaying out-of-context ads. Linking the apps was the “com.tdc.adservice package”, they wrote.
Dropbox: Unwitting Participant
“The apps’ behavior is controlled by a command-and-control JSON hosted on Dropbox,” researchers wrote, adding that Dropbox is a victim and not a participant in the operation. “The URL of the JSON differs from app to app, but the structure is very similar, indicating the frequency of the ads and the Publisher ID to be used.”
Researchers detail the first app they observed triggering out-of-context ads in the recent campaign, which is called Assistive Touch 2020. The app is a copy of a legitimate app of the same name, minus the “2020” and with a misspelling, the latter being common tactic used by threat actors in this type of campaign, researchers said.
Once the app is installed, it reaches out to com.tdc.adservice package, which is its command-and-control server, which delivers parameters for how often the ads are displayed, what type they are — whether in-house ads or out-of-context ads — and from which platform they should be retrieved, they said.
The app then gives the unsuspecting user “a grace period of a couple of hours” before serving up the out-of-context ads, which are excluded from the device’s list of recent apps. The ads also disappear as soon as user navigates away from it, researchers said.
Curious Lack of Obfuscation
Curiously, the bad apps “didn’t really try to cover their tracks” once they were downloaded onto a user device, researchers noted.
“All of them have the open-source Evernote job scheduler embedded inside used as a persistence mechanism,” they said, adding once again that Evernote is not a willing partner in the operation. “A quick lookup for Evernote jobs led us to the entry point of the out-of-context ads controller located inside the AdsJob class.”
This lack of obfuscation fortunately for the user makes the bad apps easy to spot on someone’s device, and researchers have included a full list of apps in an index to the report that they recommend Android users remove if they are found on their devices.
They also recommend that users block any apps that call ads from activities inside the package com.tdc.adservice.
“Even though platforms could choose to allow legitimate traffic from these apps by blocking only the out-of-context ads, the Satori Team recommends using the heavier-handed approach of blocking all the apps, since they were likely created very specifically to take advantage of the digital ecosystem,” they wrote.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m.