50 Google Play apps found containing info-stealing adware

The Android apps have been downloaded as many as 55 million times...

50 Google Play apps found containing info-stealing adware

An adware family that comes equipped with an information-stealing component hid itself within at least 50 apps available for download on Google’s Play Store.

SophosLabs researchers came across the Android affliction, which is detected as XavirAd, in apps previously available on Google Play like “Add Text On A Photo”.

Add text on a Photo app

Source: Sophos

Many of the affected apps have more than one million downloads to their name. In total, Yu observed as many as 55 million unique downloads of the compromised programs.

Like all other adware, XavirAd is a nuisance in that it will regularly display full screen ads. This behavior persists even when the user isn’t using the affected app.

Even so, XavirAd is more than just annoying. A component known as Andr/Infostl-BK makes it so in that it allows the malware to steal the email used for their Google account, a list of apps installed on the device, the IMEI identifier, and other crucial user information. It then encrypts all this data and sends it off to a web address where bad actors can do whatever they want with it - all despite the fact that it claims in its privacy policy that it doesn’t collect ANY information.

Screen shot 2017 05 10 at 7 56 07 am

Source: Sophos

Personal information is data that can be used to uniquely identify or contact a single person.

We do not collect, store or use any personal information while you visit, download or upgrade our website or our products, excepting the personal information that you submit to us when you create a user account, send an error report or participate in online surveys and other activities.”

At the same time, XavirAd goes to great lengths to remain undetected. It encrypts all strings, giving each class its own unique decryption routine. It also uses anti-sandbox technology to avoid running in a virtual environment where researchers might explore its inner workings.

Seeing as XavirAd is far from the first adware to infiltrate Google Play, we certainly can’t say there won’t be more malicious libraries like it.

With that in mind, Android users should take the time to read the reviews of an app before they install it, and they should beware of exceedingly numerous or demanding app permissions upon installation. They should also maintain an up-to-date anti-virus solution.

Visit the article on Sophos’s Naked Security blog to read the list of affected apps.

Tags: , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

2 Responses

  1. Michele Possamai

    May 16, 2017 at 7:04 am #

    And for some reason, there’s never an actual list in articles like these…
    50 apps! Sure… Name them!

    • Graham Cluley in reply to Michele Possamai.

      May 16, 2017 at 7:16 am #

      If you follow the link to the Sophos research you’ll find the list there. Unfortunately they included it as a graphic rather than a text list, which is why we didn’t include it.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.