web analytics

Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique

By Jessie Huang (Mobile Threats Analyst)

We recently saw two barcode reader apps in Google Play, together downloaded more than a million times, that started showing unusual behavior (Trend Micro detects these as AndroidOS_HiddenAd.HRXJA). This includes behavior that can be seen even when the user is not actively using the phones; the video below shows an example:

Video 1. Flashing Adware Page (click to enlarge)

What happened here? What caused the screen to flash? Let’s find the answer by examining the code.

As we noted earlier, the app pretends to be a barcode reader. This part of the app actually works as advertised. However, when run, the app also starts a background service and uses a received notification to keep the service running in the background. This service is disguised using the package name “com.facebook” even though it has nothing to do with Facebook.

Figure 1. Malicious code disguised using Facebook’s name

The service uses a timer to show ads every 15 minutes. It uses what appears to be random data to both control this behavior and hide it from unsuspecting eyes.

Figure 2. Timer to show ads

Figures 3 and 4. Adware configuration traffic

The “random data” is received from the command-and-control server and contains configuration information, ad IDs, and other commands from the said server. It may open specified content in the phone’s browser or start an activity with the FLAG_ACTIVITY_NEW_TASK intent. If any activity is started this way, the user won’t know which app opened the new activity.

Figure 5. Start activity with intent

Figure 6. Code to close advertisement

The app requests ads at 15-minute intervals, and it also added listeners to monitor the ad’s status. When the ad is opened, the page is closed right away, so the user would not see the ad at all. Instead, it causes a visible “flash,” as seen in the first video.

We have listed ad fraud tactics and techniques in our mobile threat landscape report. This particular method falls under the Fake Impressions category: the ad was indeed opened and the view recorded, but closed immediately. The ad is not seen with human eyes.

Figure 7. Evolving ad fraud techniques

This process still occurs when the user is not actively using the device — and even when the screen is off. The captured network traffic shows that there was still ad-related traffic with the same ad ID as in Figure 4.

Figure 8. Ad-related network traffic

In addition, this app used an interesting method to disguise itself and put the blame on other apps installed on the phone. This is so if the user got suspicious of any activity, it could evade being uninstalled. In the list of recent tasks on the phone, the malicious app uses the name and icon of other apps installed on the phone, as seen in the video below:

Video 2. App with copied name and icon (Click to enlarge)

Figure 9. App using icon from other apps

We can find the real culprit app using the Android debug bridge (adb) via the command “adb shell dumpsys activity”, as shown in the figure below.

Figure 10. Display of dumped activity

This adware is distributed via two apps on the Google Play store from the same developer. We first detected these apps as adware in 2019, but at the time, they did not have the behavior we documented in this post. (We contacted Google before publishing this post, and the apps have since been removed from Google Play.) Users also noted that the app had malicious behavior as far back as 2018.

Figure 11 and 12. App information from Google Play

Figure 13. User reviews indicating malicious behavior

We identified a total of 51 distinct apps (as differentiated by their package name) that showed identical adware behavior that were part of this campaign. A total of 95 samples of these apps were found. However, these apps were either removed by Google before the publication of this post or distributed by other means.

It should be noted that in general, downloading a separate barcode reader is not necessary. Most versions of Android already contain a barcode reader, rendering a separate app superfluous.

Trend Micro solutions

Users can install security solutions, such as Trend Micro™ Mobile Security for iOS and Trend Micro™ Mobile Security for Android™ (also available on Google Play), that can block malicious apps. End users can also benefit from their multilayered security capabilities that secure the device owner’s data and privacy, and features that protect them from ransomware, fraudulent websites, spyware, and identity theft.

For organizations, the Trend Micro™ Mobile Security for Enterprise suite provides device, compliance and application management, data protection, and configuration provisioning. The suite also protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.

MITRE ATT&CK techniques

TacticTechniqueIDDescription
Initial AccessDeliver Malicious App via Authorized App StoreT1475Used to upload malware to Google Play store
PersistenceApp Auto-Start at Device BootT1402Used to listen for the BOOT_COMPLETED broadcast
ImpactGenerate Fraudulent Advertising RevenueT1472Used to generate revenue by showing non-closeable ads
Command and ControlStandard Application Layer ProtocolT1437Used to communicate with remote C2 server

Indicators of Compromise

SHA256 HashDetection Name
02059EFB3C8D51616910D53FEA9F8F230DA43DD8B50D4FD525DB2851271046E9AndroidOS_HiddenAd.HRXPA
02A2D219B2A93B8595608B57587294B5709E5AABD16B3275625CC8F5BDEDCD6BAndroidOS_HiddenAd.HRXJA
0A3513A2F0C0E6859DC330A971551519573F2C91E006CABEC32D5A4E0FB50250AndroidOS_HiddenAd.HRXPA
0E1D3129470DCCE2DBE9053081B694E9D69F88266DCA5D317C4A8A2C6C31F228AndroidOS_HiddenAd.HRXPA
0F2894F14EFDA5043D62B1B99A5DD748D412584D44852983B8A3CD0B078E144FAndroidOS_HiddenAd.HRXPA
11899FB5CB6606BE16605FA5799EC4D4EE522F1BF6638A6B9817B4ADADD5C4C0AndroidOS_HiddenAd.HRXPA
18C9A13B368A19C67F4DF739AB778E53D488835499D39F882993AADBAB7E44A8AndroidOS_HiddenAd.HRXPA
1953B665CF16800345D995B2454A19CD6A253D792804ABC568D2391CF5165028AndroidOS_HiddenAd.HRXJA
1A28A8C523F366B8BD73A876DF7986A70A5CF3A6973B452B114E6C5C7F876D8DAndroidOS_HiddenAd.HRXPA
202BCB5DEECD1C9E1C007C083EC91632ACB766603CECA6363750C387CC2978EAAndroidOS_HiddenAd.HRXPA
244EB9CD0B918F3047FD3FD75E6E52E0F5B78178686C340543E031928BC7664CAndroidOS_HiddenAd.HRXPA
2680B08604D25E7856BB32E57D38D9D3A2C1B680A4703666A6D869F492D40FC0AndroidOS_HiddenAd.HRXJA
2D2CC7D3C3D5933299D4C9F927301DBBE60B056871555B15AFDB7EDD05926518AndroidOS_HiddenAd.HRXPA
316E0D285FAF96BAC43A9751E96CD57A7C317ED7D1F0A0195344D7B4AFEC4E4EAndroidOS_HiddenAd.HRXJA
31AE394A5242BDEFFD72D6649239DA5B0AD4C8E3B34D3B3BE274625CE7C2B591AndroidOS_HiddenAd.HRXJA
32A3C43A0DEABDE33E63955370718DB6D9551CAAC5F41DB0C1C30569ED7881C3AndroidOS_HiddenAd.HRXPA
36A215EB76A29EBA35986127AABE33951CB8F370BFEA6013F6962DFD481301BFAndroidOS_HiddenAd.HRXPA
3C3826477C238691ECD54D50C454C6D8EF14B473D9633D016C71E2599E28F31AAndroidOS_HiddenAd.HRXJA
3FB4B5E79F00A40C68E0EC5795A1BFB4A782F8C3EBD83FC6AF11325ACCC9F353AndroidOS_HiddenAd.HRXJA
4381151303C5EB1B0BB377DE9A4901B0BC9FDBEE55EA847F604BEB826903AA3EAndroidOS_HiddenAd.HRXPA
4CD83B9F966864B7E1619F8FEAD692484BB21E57C49A6C4608E1CD13F3566C18AndroidOS_HiddenAd.HRXPA
4D2ED05FAC041D7B410292135AEA90E60C7CF36BB0B73E4656F7697C9F31A494AndroidOS_HiddenAd.HRXPA
51A09A0C2C199E29DEEDF262AB0565166612789254E0130DB4DABBDD7B47AA31AndroidOS_HiddenAd.HRXPA
5244B30EE5F44C58BDD20F8F451FC92AB88C6F117EE339187BF31AB628F912BFAndroidOS_HiddenAd.HRXPA
553083F192D79C85F5EA89043CB455F2C8C54890553312558B9C5D7074DAADD0AndroidOS_HiddenAd.HRXJA
57216BC3149AEDB8E294F17D18C5DB512AC460C6ADF49532834B9B4C18E077FAAndroidOS_HiddenAd.HRXJA
580850CDCDE99153BD01E1686C510F1D33B54380692EE8FBAE854D1599F454E1AndroidOS_HiddenAd.HRXJA
5BD9B22E47250117CDD6D8B658984A7AE942C4A166D211897A1BF8B8FC2935EFAndroidOS_HiddenAd.HRXPA
5DB3575C1918E402430B9582232767CE88D8706F2C4EDC6FA4BCD48902CA7840AndroidOS_HiddenAd.HRXJA
5E60A603F52375C04CB9FF4EEFDCADD85815E6C9447977995B5E5181BE0DA280AndroidOS_HiddenAd.HRXPA
5EB22D022E3EE0381A3C9913FB33F56E1B2BA15FB96E21F7353636BC15461834AndroidOS_HiddenAd.HRXJA
5FCB5B1C788A11866D5086EF0F93D1EB76E70A961C45AA59EF757997C2C527B4AndroidOS_HiddenAd.HRXPA
60A978A5E8D66EB76DD5A05D5B3D0D88EDFD2D404059D34E8C2115486BDD8666AndroidOS_HiddenAd.HRXPA
6478C8EA7B3D00709E989D8841B1F2F921F37E6A43AB50F522FE85B7F9FE1F89AndroidOS_HiddenAd.HRXPA
64BF6FC69382849DEDB96F3B0A498623848ABD5B363F35EC2B6BBC6949956D08AndroidOS_HiddenAd.HRXJA
6506526B69F74E3A0093A0F3BA1621532C19714AFD6244D25BE0D244D82755BCAndroidOS_HiddenAd.HRXJA
651D8ACB52450ADBBF07520C91B8A698389F9D27AF891F6795605785FDF183E6AndroidOS_HiddenAd.HRXJA
667A4B13765C8ECAED1275208EBA295332BFAC7FDD7E29DC8E85B78CCD54A161AndroidOS_HiddenAd.HRXJA
6AF4225386A0CCE966182F209B345CFF7CA512F7377EC6C2A95ECA2BAA6DEFDDAndroidOS_HiddenAd.HRXPA
6B01855CBE9CEBC6400EB37200CABA339A16957153F79F5EA77999A511153C18AndroidOS_HiddenAd.HRXPA
6F14F976E2A09102FF7628D7EC87F2CFDB00A3D3E16DF0CCA82C1C074EF9E8B5AndroidOS_HiddenAd.HRXPA
72A621364BC20FC1E113E6E723224C727E48819AEEB571C70611EF1B302D9FF2AndroidOS_HiddenAd.HRXPA
777D840BD6BF19F619F17C69C6F098BAB6643E4701D8F877E366A0CD4DEFC2FDAndroidOS_HiddenAd.HRXPA
793DEAD0F935AE1DE65C8705A2FE643CE0E1A4B1FFBE5A85DE8279D0BB5DA99FAndroidOS_HiddenAd.HRXPA
7B3E228620B9EB7E8BB71FE69D5BC1CDD1F79C4E24D00E03AB6D4A4429ABD5B8AndroidOS_HiddenAd.HRXPA
7FCDC9B5D7E53CAECBBF2EBF4C9EF0F5B965D7877AC3A500352EA21C432B5F6FAndroidOS_HiddenAd.HRXPA
82245E256A02F6FF443AB29A3AB141647B94D61BEC4961F061C666D57D26B493AndroidOS_HiddenAd.HRXPA
825451A94340FF6D94BDF95E5418CB110C465C7B79F06335C7DB6723ACCF5395AndroidOS_HiddenAd.HRXJA
8A52129928B108CB65C8A1E8288F7B79ED2EC18DAE4C5ABDD9A802D794BFE2BCAndroidOS_HiddenAd.HRXJA
8BF3019D3C9650F443446759D616A9C5AA7B7DF72F3C96497725E9F61F3FA9DBAndroidOS_HiddenAd.HRXPA
8CFDC4EECEC1F0893182B63C1A60972E607BA7F5F81B1A1D7E9536AC1A6D6634AndroidOS_HiddenAd.HRXPA
9A58369AFDC86FCCDEFA99992BBA5EE4E880C966669398A2353CA6F0D7E61F07AndroidOS_HiddenAd.HRXPA
A170393DEBCB07CA9186FBEDDE7431E4D2AD836F2C1B6BDB1FFE9E6D476CBF23AndroidOS_HiddenAd.HRXPA
A4D26FBA133EA892D82FE3E161D56C8CA4D184D5DE77349407F471AA5E9EAE87AndroidOS_HiddenAd.HRXJA
A54C4C092EECF4EB911223D6C118EFE109368F24058651F6C5BF40C50CCC13E3AndroidOS_HiddenAd.HRXPA
AAE0246899C32A882C3DC49D757091A1A8D9DF5EC32F7E9C275EED4A6478F870AndroidOS_HiddenAd.HRXPA
AB040AFBB6EFC729F1912FAD554C03838129DEB8A5E2BAC8D42A78EE83F7A10EAndroidOS_HiddenAd.HRXPA
AB319EF507761E43014224BA1FDF456DE94748B537BD3A6462D3B10D39283BF2AndroidOS_HiddenAd.HRXPA
ACD61A3AFDF9612B0CEC5CF28CCE900403EDCABE1ED321AC262C614DD61C9D9EAndroidOS_HiddenAd.HRXPA
B04F26167133A9433B4D9085BCD3C3283E55666E9B64C8DBA71EF6ED29D636BDAndroidOS_HiddenAd.HRXPA
B281EC890820B85157777E0BD636DAC779707CC780459FA63578171CE4FAB337AndroidOS_HiddenAd.HRXPA
B2B58254A842181FFFA734268FAB6E497256CB63303AF40AD3DF2AC674F95607AndroidOS_HiddenAd.HRXJA
B67B90EF829158076663638B45ADABFCFB663A2C58505FBBF8F839F6BD62D8E2AndroidOS_HiddenAd.HRXPA
B8FC492479C97261E04DD1F13B6C308BD848623E680609A562EFE17D92E9B384AndroidOS_HiddenAd.HRXPA
BB0832E560137EA9B776511E2E959DE7B065E8136AFABCB39E4DFECADB6CD145AndroidOS_HiddenAd.HRXPA
BBD407239BABC5C09966B726AAFC79DAEBD6B8AFA3C0A0C93E3DEC750A9AB7DEAndroidOS_HiddenAd.HRXJA
BD6FF179F5845F966DDD79DFA05CC2E4F77F19EBBD7776A7EF0F854DB084E3C4AndroidOS_HiddenAd.HRXPA
BF30E8802D34DDB6BB1872781528503F764D924EFA94DBBA2CF1BB9207E59D9BAndroidOS_HiddenAd.HRXPA
C27A739540804D0F246EBC2592A634568A0163CF270F4915D00E5CB07F0FE2FEAndroidOS_HiddenAd.HRXPA
C290762DECF6C2A54F2200F188EF6AD291FE3B75B3B44A6D17F3A89CE29B8F60AndroidOS_HiddenAd.HRXJA
C2F31CCCB602DE71E423D45885D5B0F1BE3B086C8AD177AD622B9C2BE2628196AndroidOS_HiddenAd.HRXPA
C6EFE5B30BB7F16443DE8B09D689BB91732B572F66E141460B137D50BA169209AndroidOS_HiddenAd.HRXPA
CA79B3725B30F04DFCE0178D29F64EC9C28EABEC53EFC6B511CD540EDE3D62F1AndroidOS_HiddenAd.HRXPA
CC5E0B72F6D01A1A017515ACD480FBE20F4C3470FBD7BA40E802DB9E4FEDE0BBAndroidOS_HiddenAd.HRXPA
CE82F86E10F3C24FFBD3804606AE2B865B4A3E0DC795DFACA7790EDD0D7B6F5BAndroidOS_HiddenAd.HRXJA
D2BB430FE7D289CBEFCFAA8DA5DF448E167A06D0D53E2D2CAA5EC2EC5C935162AndroidOS_HiddenAd.HRXPA
D5FB2CB562C60D99656F9567A6E85AFE3F2A20134CA114F3B42B00BDA15C37BCAndroidOS_HiddenAd.HRXPA
D645909AA79FADE0163211DA981C39605F8D69C67524DE8F6D63C42E28B7AB4AAndroidOS_HiddenAd.HRXPA
DA121887DCF05DE5F758E615961ECAB4683D4D9CF81F48173FD35E59B57628ABAndroidOS_HiddenAd.HRXPA
E50F4BB22206226B2207E9FD9EECEC4A7D1B171B5F9B5F728F98F3EE9DDD945EAndroidOS_HiddenAd.HRXPA
E6EB8847AD6F37B3455575772B6AB3565CD25DC9E0EEB826388D946FFB02980BAndroidOS_HiddenAd.HRXPA
E7CAE25D134BA53708C316F99D9BAF07285CD6EA5F0ADFAA9A4B14F5416B53D9AndroidOS_HiddenAd.HRXPA
F01E2C08A77F121BE5862C2B993CD5C2E85D28BF50E93A363209B833D8CAD83AAndroidOS_HiddenAd.HRXPA
F08060339C9EFA9257C33D3D66F84E21B5F0406B4ECAE7C70810AFA72239F26AAndroidOS_HiddenAd.HRXJA
F2DF95EA0BAC154081924B4E1524D5DF6E12DC79BE0EF579C1A18D216ED3BD6DAndroidOS_HiddenAd.HRXPA
F32482AD51BC7691E6F0541ACEC0F34036643028195B2E2264081114392AF12CAndroidOS_HiddenAd.HRXPA
F51F79F723533A32E058DEE3FE058DF497952CC31BF9F1BE62F3E65F4715122CAndroidOS_HiddenAd.HRXPA
F524337FACA11B21C442EEA51F5852E023CA84E9035481EEF14AEFDBB4131FE1AndroidOS_HiddenAd.HRXPA
F5B3817290E1FDD911C781047670A8D31489F4BFCEB42D73B94EF98AB6B8B3F4AndroidOS_HiddenAd.HRXJA
F61BD6BA40EF9D07F8139066F4F0AE6E40159BA4F11FFEAD1722D6F9539C663FAndroidOS_HiddenAd.HRXPA
F6732F99770F38A6FF2F33844CB71ADA1EE22445AEDBDDA7EA76C62C8F448513AndroidOS_HiddenAd.HRXJA
F6E679FB77B9020F6A9E6FE929BAFC13B5057F93F683043538E5131E20EF31BDAndroidOS_HiddenAd.HRXPA
F93259CDF2083E4CC0935BC88486B38E2021AB06594876CC2FB08DAC333460C9AndroidOS_HiddenAd.HRXPA
FC1BC44048F818D90C3151C5114FC803B23159C6C60DC00BCC08CFFB03B3F395AndroidOS_HiddenAd.HRXPA
FC4AE3CF359D8992F0125249E39B651BFE7AFCEF45888859CE865CCE8A5168EFAndroidOS_HiddenAd.HRXPA

 

 

The post Barcode Reader Apps on Google Play Found Using New Ad Fraud Technique appeared first on .