An adware family that comes equipped with an information-stealing component hid itself within at least 50 apps available for download on Google’s Play Store.
SophosLabs researchers came across the Android affliction, which is detected as XavirAd, in apps previously available on Google Play like “Add Text On A Photo”.
Many of the affected apps have more than one million downloads to their name. In total, Yu observed as many as 55 million unique downloads of the compromised programs.
Like all other adware, XavirAd is a nuisance in that it will regularly display full screen ads. This behavior persists even when the user isn’t using the affected app.
Even so, XavirAd is more than just annoying. A component known as Andr/Infostl-BK makes it so in that it allows the malware to steal the email used for their Google account, a list of apps installed on the device, the IMEI identifier, and other crucial user information. It then encrypts all this data and sends it off to a web address where bad actors can do whatever they want with it – all despite the fact that it claims in its privacy policy that it doesn’t collect ANY information.
“Personal information is data that can be used to uniquely identify or contact a single person.
“We do not collect, store or use any personal information while you visit, download or upgrade our website or our products, excepting the personal information that you submit to us when you create a user account, send an error report or participate in online surveys and other activities.”
At the same time, XavirAd goes to great lengths to remain undetected. It encrypts all strings, giving each class its own unique decryption routine. It also uses anti-sandbox technology to avoid running in a virtual environment where researchers might explore its inner workings.
Seeing as XavirAd is far from the first adware to infiltrate Google Play, we certainly can’t say there won’t be more malicious libraries like it.
With that in mind, Android users should take the time to read the reviews of an app before they install it, and they should beware of exceedingly numerous or demanding app permissions upon installation. They should also maintain an up-to-date anti-virus solution.
Visit the article on Sophos’s Naked Security blog to read the list of affected apps.
And for some reason, there's never an actual list in articles like these…
50 apps! Sure… Name them!
If you follow the link to the Sophos research you'll find the list there. Unfortunately they included it as a graphic rather than a text list, which is why we didn't include it.
https://nakedsecurity.sophos.com/2017/05/10/the-google-play-apps-that-say-they-dont-collect-your-data-and-then-do/