Jump to content

75 Android Apps Remove Info-Stealing Adware From Their Code


Recommended Posts

Seventy-five apps available for download from the official Google Play Store had to remove a malicious advertising library that was secretly an adware called AdDown, which Trend Micro researchers have been tracking for the last two years.


This adware appeared in January 2015 and besides showing ads to infected users, it also came with the ability to collect personal data on its victims, and at one point could even secretly install apps without the user's knowledge.


Over time, Trend Micro says it detected the adware in over 800 apps that were uploaded on the Play Store, usually as small utility apps, such as wallpaper changers, photo editors, and flashlight apps.


AdDown adware timeline

After an in-depth analysis of apps infected with the AdDown family during the past two years, researchers were able to identify three main stages in its evolution, named: Joymobile, Nativedown, and Xavier.




The first stage of evolution featured the simplest version of the adware, but was also the one with the most intrusive features, coming equipped with a method of installing apps behind the user's back.


The second stage removed this installation method, leaving only one that required the user's approval, but improved other features, such as comms encryption, internal string obfuscation, and user filtering for better ad delivery.


The third and last stage of AdDown was first detected starting with September 2016, and while it generally improved the second stage's features, it also added support for detecting and evading sandbox environments.


That version also removed the ability to install third-party apps, most likely as the adware's author realized he'd have a better chance of remaining undetected if he showed ads here and there, and not force apps down users' throats.


AdDown was distributed via an advertising SDK

Experts say that during the past two years, millions of users appear to have downloaded and installed apps infected with one of these three AdDown adware versions. Trend Micro researcher Ecular Xu said AdDown was distributed to various app developers as an advertising SDK, which explains why it was found in so many apps. Xu published a list of apps previously infected, but which have now removed AdDown from their code:


PackageName Download Count Remove Xavier Date
com.ijksoftware.pdfcreator.camscanner 10000-50000 2017/5/13
com.writeonpicture.textphoto 100000-500000 2017/5/13
com.inateam.cooler.master 500000-1000000 2017/5/13
com.equalizer.volumebooster 1000000-5000000 2017/5/13
com.styletext.font.textonphotos 100000-500000 2017/5/14
com.easytool.screenoff 100000-500000 2017/5/13
com.inateam.pdfreader 100000-500000 2017/5/13
com.placideagles.volumebooster 500000-1000000 2017/5/13
com.allinOne.openquickly 1000000-5000000 2017/5/13
com.inateam.ziprar 100000-500000 2017/5/13
com.coramobile.speedbooster.cleaner 1000000-5000000 2017/5/13
com.coramobile.security.antivirus 1000000-5000000 2017/5/12
com.cleaner.memorybooster.ramoptimizer 1000000-5000000 2017/5/13
com.coramobile.powerbattery.batterysaver 100000-500000 2017/5/12
com.pdfviewer.pdfreader.edit 500000-1000000 2017/5/13
com.cutterringtone.mp3cutter 100000-500000 2017/5/14
com.coramobile.phonecooler.cpucoolermaster 1000000-5000000 2017/5/12
com.autolockscreen.taptaplock 50000-100000 2017/5/13
com.easycapture.screenshot 50000-100000 2017/5/14
com.unziptool.rarextractor 50000-100000 2016/11/18
com.convertmp3.videoconverter 50000-100000 2017/5/13
com.lollicontact.caller 50000-100000 2017/5/13
com.fattys.automaticcallrecording 100000-500000 2017/5/13
com.ponosnocelleh.lolipoptheme 50000-100000 2017/5/13
com.ponosnocelleh.threedtheme 100000-500000 2017/5/13
com.mothrrmobile.volume 100000-500000 2017/5/13
com.greenapp.voicerecorder 10000-50000 2017/5/13
com.sunny.text2photo 100000-500000 2017/5/13
com.fingerprint.lockscreen.prank 100000-500000 2017/5/13
com.keeprr.cutpastephoto 100000-500000 2017/5/13
com.billowy.equalizer.bassbooster 100000-500000 2017/5/13
com.fattysgui.beautyfont 100000-500000 2017/5/13
com.aecenraw.emojionphoto 50000-100000 2017/5/13
com.appworksui.myfonts 100000-500000 2017/5/13
com.forecast.weatherlive.weather 10000-50000 2017/5/13
com.finder.photo.imagessearch 10000-50000 2017/5/13
com.galaxygame.fighterwar 100000-500000 2017/5/13
com.djayfree.mp3djmix 100000-500000 2017/5/13
com.qrscan.qrreader.qrcode 10000-50000 2017/5/13
com.yamagame.stormfighter 100000-500000 2017/5/13
com.minfiapps.screenshost_capture 100000-500000 2017/5/13
com.photogrid.frame.photocollage 10000-50000 2017/5/13
com.greenapp.slowmotion 100000-500000 2017/5/13
net.camspecial.clonecamera 500000-1000000 2017/5/13
com.rartool.superextract 100000-500000 2017/5/13
com.fattystudioringtone.mp3cutter 50000-100000 2017/5/13
com.aepictur.textphoto 100000-500000 2017/5/13
com.live3d.wallpaperlite 100000-500000 2017/5/13
com.xatedses.changehaircoloreye 100000-500000 2017/5/13
com.podhengy.haircolor 100000-500000 2017/5/13
com.mobilescreen.capture 100000-500000 2017/5/13
com.keeprr.textonphoto 100000-500000 2017/5/13
com.mobiletool.rootchecker 100000-500000 2017/5/13
com.galaxy.strikeforce 1000000-5000000 2017/5/13
com.podhengy.photoapp 50000-100000 2017/5/13
com.albumpro.videoslide.galleryphoto 50000-100000 2017/5/13
com.gpsonline.phonetracker 500000-1000000 2017/5/13
com.maxmitek.livewallpaperaquariumfishfish 50000-100000 2017/5/13
com.maxmitek.beachwallpaper 50000-100000 2017/5/13
com.xatedsesmobile.picturesketch 100000-500000 2017/5/13
com.efflicnetwork.ringtonecutter 50000-100000 2017/5/13
com.gigmobile.booster 100000-500000 2017/5/13
com.ponosnocelleh.launchers7 100000-500000 2017/5/13
com.magicvideo.editor.reversevideo 50000-100000 2017/5/12
com.azurersweet.djvirtual 500000-1000000 2017/5/12
com.sevideo.slideshow.videoeditor 1000000-5000000 2017/5/12
com.fourapps.musicplayer.videoplayer 100000-500000 2017/5/12
com.slowmotion.videoslow 500000-1000000 2017/5/12
com.fourvideo.videoshow.videoslide 1000000-5000000 2017/5/12
com.azurersweet.app2sdandremover 100000-500000 2017/5/12
com.azurer.vpnproxy.supervpn 500000-1000000 2017/5/12
com.azurersweet.launcher 50000-100000 2017/5/12
com.appgpfaq.prankcrackscreen 500000-1000000 2017/5/12
com.photoshow.videoeditor.slide 100000-500000 2017/5/12
com.azurersweet.beautymakeup 100000-500000 2017/5/12




Link to comment
Share on other sites

  • Replies 5
  • Views 862
  • Created
  • Last Reply

Both Google and Apple need to do a better job of vetting the apps they allow on their sties.  There should be a contract between them and the developers that would have a clause with a severe financial penalty for developers that include any type of malicious code in their apps.  Or we could just go shoot the crooks, that works for me.

Link to comment
Share on other sites

4 hours ago, straycat19 said:

Both Google and Apple need to do a better job of vetting the apps they allow on their sties.  There should be a contract between them and the developers that would have a clause with a severe financial penalty for developers that include any type of malicious code in their apps.  Or we could just go shoot the crooks, that works for me.

 A closed source world problem , Google cant even control adware in a closed signed in environment I been using Windows for years in a open  environment downloading what and installing with no problems with adware .


Maybe Google cant control it because they are a ad company as in adware  and are some of the biggest crooks  there is.. They dont even charge money for there software or services they just give it away  and  make billions  out of  harvesting and selling you're data.   Using Google for a ad free environment   is a oxymoron as long as you use them you are infected with adware so too stop it they would have too become open source ,shareware (as in chagrining money) or close down. They say what comes around goes around.


I  take what Google says about as serious as I do Microsoft witch is 0%  All  it is News too hype up there products too be better than it is. sort like when you was a kid and you seen a fruity pebbles commercial  with the Flintstones on TV  and you made you're mommy buy you some . Now days kids are saying mommy ,mommy buy me a Android phone  and the shame it is the parents fall for it and kids grow up addicted to the internet they don't even remember what was like before it was a www. And shame of it is even the parents  are so addicted themselves they pass it off to the kids. Even the president of the USA is a internet addict addicted too tweeting on a site that sells you're data as well .Crazy times we live in  .the apocalypse  must be near.  :)

Link to comment
Share on other sites

  • Administrator

Some quite famous and highly downloaded apps there.

Link to comment
Share on other sites

Android users beware! Over 800 Android apps Google Play Store are found to be infected with information-collecting malware dubbed Xavier. According to Trend Micro security experts, the malware has been pre-installed on a wide range of free Android applications, such as photo editors and wallpapers, and has been downloaded millions of times so far. 

The Xavier malware is in fact an ad library – an element, integrated in free apps to enable advertising as a revenue source for their developers, and often referred to as adware. But being a relatively harmless and simple piece of adware when emerged two years ago, Xavier has recently evolved to a more dangerous and sophisticated kind of malicious software. Trend Micro’s security experts say it is now capable of evading detection, remote code execution, and stealing information.
In other words, the malware is smart enough to escape from being analysed by security programs, it has been designed to download remotely executable codes from a server, and it is configured to silently collect sensitive user data including email address, device id, model, OS version, country, manufacturer, SIM card operator, resolution, and installed apps.
An example of an application on Google Play that contains an embedded Xavier ad library

An example of an application on Google Play that contains an embedded Xavier ad library


The highest number of reportedly infected users are from countries in South-east Asia such like Vietnam, Philippines, and Indonesia, with a smaller number of downloads from the US and Europe. The trend we see is more alarming since it is not the first time when Google Play Store is reported to host numerous malware infected apps. It actually happened twice just in the last few months: in March, when more than 100 Play Store apps tried to infect Android devices with Windows malware, and in May, when over 36 million Android devices where affected by the Judy malware.

On the bright side is the fact that you still have easy ways to protect your smartphones. The rules of thumb are simple: always download your apps from trusted developers on Google Play, read the reviews before the installation, and keep your device and apps updated.


Article source

Link to comment
Share on other sites

4 hours ago, Batu69 said:

The rules of thumb are simple: always download your apps from trusted developers on Google Play, read the reviews before the installation, and keep your device and apps updated.


Part of the problem is you can't trust the reviews.  There are a lot of fake or paid reviews on Google Play, just like on Amazon.  You really have to do a lot of research before you can trust a developer because some of the most prolific developers have proven to be the most crooked.  My solution to the problem was to have multiple phones for multiple uses so I don't have to install apps on my primary phone and the other two phones don't even have to have sim cards in them, they can connect by sharing the primary phone connection or public WiFi.  And if they get malware on them they can be factory reset and start over, every thing is expendable.  A lot of people are keeping their old phones for this reason, especially when the term old refers to a phone that is only 1-2 years old.  Essentially they become mini tablets.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...