50 Google Play apps found containing info-stealing adware

The Android apps have been downloaded as many as 55 million times…

David bisson
David Bisson

50 Google Play apps found containing info-stealing adware

An adware family that comes equipped with an information-stealing component hid itself within at least 50 apps available for download on Google’s Play Store.

SophosLabs researchers came across the Android affliction, which is detected as XavirAd, in apps previously available on Google Play like “Add Text On A Photo”.

Add text on a Photo app
Source: Sophos

Many of the affected apps have more than one million downloads to their name. In total, Yu observed as many as 55 million unique downloads of the compromised programs.

Sign up to our free newsletter.
Security news, advice, and tips.

Like all other adware, XavirAd is a nuisance in that it will regularly display full screen ads. This behavior persists even when the user isn’t using the affected app.

Even so, XavirAd is more than just annoying. A component known as Andr/Infostl-BK makes it so in that it allows the malware to steal the email used for their Google account, a list of apps installed on the device, the IMEI identifier, and other crucial user information. It then encrypts all this data and sends it off to a web address where bad actors can do whatever they want with it – all despite the fact that it claims in its privacy policy that it doesn’t collect ANY information.

Screen shot 2017 05 10 at 7 56 07 am
Source: Sophos

“Personal information is data that can be used to uniquely identify or contact a single person.

“We do not collect, store or use any personal information while you visit, download or upgrade our website or our products, excepting the personal information that you submit to us when you create a user account, send an error report or participate in online surveys and other activities.”

At the same time, XavirAd goes to great lengths to remain undetected. It encrypts all strings, giving each class its own unique decryption routine. It also uses anti-sandbox technology to avoid running in a virtual environment where researchers might explore its inner workings.

Seeing as XavirAd is far from the first adware to infiltrate Google Play, we certainly can’t say there won’t be more malicious libraries like it.

With that in mind, Android users should take the time to read the reviews of an app before they install it, and they should beware of exceedingly numerous or demanding app permissions upon installation. They should also maintain an up-to-date anti-virus solution.

Visit the article on Sophos’s Naked Security blog to read the list of affected apps.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “50 Google Play apps found containing info-stealing adware”

  1. Michele Possamai

    And for some reason, there's never an actual list in articles like these…
    50 apps! Sure… Name them!

    1. If you follow the link to the Sophos research you'll find the list there. Unfortunately they included it as a graphic rather than a text list, which is why we didn't include it.


What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.