Dozens of applications available on Google Play were found delivering a strain of adware capable of collecting users’ personal information.
Security researchers at Sophos identified the adware library as Android XavirAd and its information-stealing component as Andr/Infostl-BK.
Detected in more than 50 Google Play apps, including several with millions of downloads, XavirAd is believed to have affected nearly 55 million users.
With these apps installed, users will see full screen advertisements pop up at regular intervals, even when the app is closed, said Sophos researchers in a blog post.
“Once the app is started, the XavirAd library contacts its server and gets [a] configuration code,” the blog post explains.
“The servers responds with advertisement settings including full screen ad intervals, and saves them in shared preferences. The domain api-restlet.com registered for this purpose appears to be a year and a half old, with origins in Vietnam,” said the researchers.
The program then downloads another .dex file from cloud.api-restlet.com, which collects the following information from the user’s device:
- Email address for Google account
- List of apps installed
- IMEI identifier and android_id
- Screen resolution
- Manufacturer, model, brand, OS version
- SIM operator
- App installation source
The information is encrypted and sent to a web address, said the researchers.
To avoid detection, researchers also found XavirAd to use encrypted strings. Each class has its own decryption routine in the class constructor, and although the algorithm remains the same, the keys are different in each class.
Furthermore, the XavirAd library uses anti-sandbox technology to hide from dynamic analysis, stopping malicious behaviors once it detects it is running in a testing environment.
Sophos researchers listed the apps containing the adware here, and advise users to avoid them.