50 Google Play apps found containing info-stealing adware

The Android apps have been downloaded as many as 55 million times…

50 Google Play apps found containing info-stealing adware

An adware family that comes equipped with an information-stealing component hid itself within at least 50 apps available for download on Google's Play Store.

SophosLabs researchers came across the Android affliction, which is detected as XavirAd, in apps previously available on Google Play like "Add Text On A Photo".

Add text on a Photo app

Source: Sophos

Many of the affected apps have more than one million downloads to their name. In total, Yu observed as many as 55 million unique downloads of the compromised programs.

Like all other adware, XavirAd is a nuisance in that it will regularly display full screen ads. This behavior persists even when the user isn't using the affected app.

Even so, XavirAd is more than just annoying. A component known as Andr/Infostl-BK makes it so in that it allows the malware to steal the email used for their Google account, a list of apps installed on the device, the IMEI identifier, and other crucial user information. It then encrypts all this data and sends it off to a web address where bad actors can do whatever they want with it - all despite the fact that it claims in its privacy policy that it doesn't collect ANY information.

Screen shot 2017 05 10 at 7 56 07 am

Source: Sophos

"Personal information is data that can be used to uniquely identify or contact a single person.

"We do not collect, store or use any personal information while you visit, download or upgrade our website or our products, excepting the personal information that you submit to us when you create a user account, send an error report or participate in online surveys and other activities."

At the same time, XavirAd goes to great lengths to remain undetected. It encrypts all strings, giving each class its own unique decryption routine. It also uses anti-sandbox technology to avoid running in a virtual environment where researchers might explore its inner workings.

Seeing as XavirAd is far from the first adware to infiltrate Google Play, we certainly can't say there won't be more malicious libraries like it.

With that in mind, Android users should take the time to read the reviews of an app before they install it, and they should beware of exceedingly numerous or demanding app permissions upon installation. They should also maintain an up-to-date anti-virus solution.

Visit the article on Sophos's Naked Security blog to read the list of affected apps.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

2 Responses

  1. Michele Possamai

    May 16, 2017 at 7:04 am #

    And for some reason, there's never an actual list in articles like these…
    50 apps! Sure… Name them!

    • Graham Cluley in reply to Michele Possamai.

      May 16, 2017 at 7:16 am #

      If you follow the link to the Sophos research you'll find the list there. Unfortunately they included it as a graphic rather than a text list, which is why we didn't include it.

      https://nakedsecurity.sophos.com/2017/05/10/the-google-play-apps-that-say-they-dont-collect-your-data-and-then-do/

Leave a Reply