Android adware abusing plugin frameworks to promote potentially malicious apps

The host app controls all!

Android adware abusing plugin frameworks to promote potentially malicious apps

Android adware has embraced an innovative way to promote potentially malicious apps: abuse Android plugin frameworks.

App promotion isn't anything new on the Android platform.

In the past, we've seen adware install paid applications once they've landed on an device. But to the chagrin of these less-than-honest developers, anti-malware technology can block these efforts.

So what did adware creators do in response? Innovate, of course!

To evade detection, malware samples are now shipping out as plugin-enabled apps. This means the rogue software can abuse plugin frameworks like DroidPlugin and VirtualApp to load arbitrary apps in a virtualized application environment.

In other words, they can ingeniously launch a potentially malicious app (and thereby generate revenue) without actually installing it on a device.

Palo Alto Networks' security researchers Cong Zheng, Wenjun Hu, and Zhi Xu are concerned about this developing trend.As they explain in a blog post:

"This type of app promotion can post security risks because of the comparatively weak security mechanisms used in current plugin frameworks. These plugin frameworks lack the ability to separate permissions and isolate data amongst different plugin instances. Thus, when a promoted app is executed through the plugin framework, it has the same permissions as the host app (typically all Android permissions) and can access the data of the host app or other plugin apps."

Meaning? If a host app gains root permissions, any app it launches through a plugin framework will have those same rights. A scary thought if these secondary apps are malicious programs themselves!

Let's look at a few examples.

In September 2016, the developers behind "Clean Doctor" (CD) made their app more aggressive by creating shortcuts for secondary promoted apps on an infected device's home screen. Whenever a user clicks a shortcut, the promoted app loads in a virtualized environment, an action which generates revenue for the attackers. CD can also automatically launch one of the promoted apps when receiving system events.

A promoted game app is launched as a plugin. (Source: Palo Alto Networks)

A promoted game app is launched as a plugin. (Source: Palo Alto Networks)

A few months later in January 2017, the developers of an app called "bloodpressure" abused plugin technology that launched a promoted app capable of displaying apps and recommending multiple downloadable apps in a single screen. This technique gives adware creators all kinds of opportunities to make money from promoted apps.

Newtrend 5

The plugin app displays multiple ads. (Source: Palo Alto Networks)

In total, Palo Alto Networks' researchers found 32 apps abusing the DroidPlugin framework and 21 APKs doing the same to VirtualApp. All these applications were available on the Play Store. Fortunately, Google has worked with security researchers to remove the programs. But that's not to say there won't be more like them.

To protect against apps that abuse plugin technology, users should install a security solution on their devices that's capable of detecting adware samples.

They should also remain vigilant for warning signs like the creation of new shortcuts to apps they haven't installed on their phones. If they detect any suspicious behavior, they should think back to any new apps they might have downloaded and promptly uninstall them from their devices.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,