Security researchers have found a new kind of mobile adware hidden in hundreds of Android apps, and downloaded more than 150 million times from Google Play.
The malware masquerading as an ad-serving platform, dubbed SimBad by researchers at security firm Check Point, infected more than 200 apps which, likely unbeknownst to the app developer, would open a backdoor to install additional malware as a way to outsmart Google’s app store scanning. Once installed, the downloaded malware also removes the app icon and persists in the background, loading each time the device boots up.
Once the malware retrieves its instructions from the command and control server, the malware runs through lists of web addresses in the background, serving ads to generate fraudulent revenue.
Check Point provided a list of the apps, which Google pulled from Google Play following a disclosure by the security researchers. The list can be found here. Google’s removal from the app store does not delete the app from users’ devices.
The top 10 downloaded games amount to 55 million downloads alone:
- Snow Heavy Excavator Simulator (10,000,000 downloads)
- Hoverboard Racing (5,000,000 downloads)
- Real Tractor Farming Simulator (5,000,000 downloads)
- Ambulance Rescue Driving (5,000,000 downloads)
- Heavy Mountain Bus Simulator 2018 (5,000,000 downloads)
- Fire Truck Emergency Driver (5,000,000 downloads)
- Farming Tractor Real Harvest Simulator (5,000,000 downloads)
- Car Parking Challenge (5,000,000 downloads)
- Speed Boat Jet Ski Racing (5,000,000 downloads)
- Water Surfing Car Stunt (5,000,000 downloads)
Some of the games, mostly simulation games — hence the malware’s name — date back on Google Play to March 2017, said Aviran Hazum, mobile threat intelligence team leader at Check Point, in an email to TechCrunch.
Hazum said the malware might be an adware for now, but has the potential to evolve into a larger threat.