Skinner adware

Security researchers have spotted a new mobile adware family targeting Android devices, and yet again, an app infected with this threat managed to make its way into the Google Play Store.

Named Skinner, this new adware family has managed to impress security researchers, who said it featured a level of complexity not encountered in most Adware adware families.

Skinner hides under layers of obfuscated code

According to Check Point researchers, who were the first to spot this new threat, Skinner is disguised as one of the app's modules, hidden under layers of obfuscated code.

Unlike other malware families who use commercially-available code obfuscation tools, Skinner's authors created their own scheme, which made reverse engineering much difficult.

Before launching into execution, Skinner will perform a series of checks, most of which are similar to the ones desktop malware families make, but which are rarely seen in mobile threats.

For starters, the malware won't execute until a user opens an app, as proof it's not running in an automated environment. After that, it checks for the presence of known debuggers and hardware emulators. The last step involves Skinner checking if the app it launches from was installed from the Google Play Store.

Skinner shows ads based on app categories

If everything checks out, Skinner will enter the typical behavioral pattern of Android malware. This involves collecting data on the infected device and sending it to its C&C server, where it registers as a new infection.

After this, the malware stands and waits to receive ads. When this happens, Skinner doesn't blast random ads at infected victims, but first checks the type of app a user is using and delivers an appropriate ad.

According to researchers, Skinner will show different types of ads based on four app categories, which are: navigation apps, caller apps, utility apps, and browser apps.

This behavior is the first of its kind among Android adware, Check Point researchers said.

"Until now, only banker-overlay malware displayed such activity," researchers said. "This sort of tailored 'marketing' is likely to drastically increase the malware’s success rate."

This behavior, coupled with its pre-run checks and advanced code obfuscation make Skinner stand apart from your typical Android adware, and is a threat to keep an eye out for.

Skinner spotted in only one app

According to Check Point, the good news is that researchers spotted Skinner in only one Google Play Store app, that had a maximum of 10,000 users. The bad news is that Skinner went undetected on the Play Store for more than two months before being discovered.

Other Android malware families that managed to reach the Google Play Store include BankBot, Charger, HummingBad, Viking Horde, DressCode and CallJam.