An Android app component meant to provide inter-user chatting capabilities has been opening websites and clicking on ads in phones' background.
According to a report published last week, this malicious component is part of a software development kit (SDK) offered by a Chinese company named 呀呀云 (Ya Ya Yun).
Android app developers use the Ya Ya Yun SDK to add an instant messaging (chat) feature to games they develop. The Android game will use the SDK for the chat features and will free up developers to cater to other facets of the game.
This software design practice of using an SDK to offload various app features to remote services is dangerous as it gives a remote company control over your app.
In the case of Android game developers who chose the Ya Ya Yun SDK, this trust was misplaced, according to Russian antivirus vendor Dr.Web.
The company's mobile security researchers said they've spotted apps containing this SDK on the official Google Play Store. These apps, according to Dr.Web, where downloading other components hidden inside benign images, like the ones below:
The Ya Ya Yun SDK was downloading these images, unpacking the malicious component found inside, and running it on users' devices. For now, the components it downloaded only opened an URL inside a hidden browser and clicked on ads for the crook's profit, but experts say this could very easily be changed to many other malicious actions.
"Virus writers are capable of creating additional Trojan modules that will perform other malicious actions. For example, display phishing windows to steal login credentials, show advertising, and also covertly download and install applications," Dr.Web experts said in a report published last week.
They found this malicious behavior in 27 Android games available through the Play Store, installed on more than 4.5 million devices. Experts say they notified Google of the malicious applications.
Eight days later after Dr.Web's report went public, Bleeping Computer checked most of the apps reported to have exhibited this behavior, and most are still on the Play Store.
In past similar cases, Google often deactivates apps containing malicious SDKs until the developer removes the malicious component. While some of these apps are still available today, they may not contain the adware behavior anymore. Since we can't tell, it may be a good idea to avoid the following apps for the foreseeable future.
|Program name||Application package name||Version|
|Era of Arcania||com.games37.eoa||2.2.5|
|Clash of Civilizations||com.tapenjoy.warx||0.11.1|
|Sword and Magic||com.UE.JYMF&hl||1.0.0|
|خاتم التنين - Dragon Ring (For Egypt)||com.reedgame.ljeg||1.0.0|
|樂舞 - 超人氣3D戀愛跳舞手遊||com.baplay.love||1.0.2|
|Kıyamet Kombat Arena||com.esportshooting.fps.thekillbox.tr||1.1.4|
|Never Find Me - 8v8 real-time casual game||com.gemstone.neverfindme||1.0.12|
|King of Warship: National Hero||com.herogames.gplay.kowglo||1.5.0|
|King of Warship:Sail and Shoot||com.herogames.gplay.kowsea||1.5.0|
|Sword and Magic||com.linecorp.LGSAMTH||Depends on a device model|
|Gumballs & Dungeons：Roguelike RPG Dungeon crawler||com.qc.mgden.android||0.41.171020.09-1.8.6|
|Warship Rising - 10 vs 10 Real-Time Esport Battle||com.sixwaves.warshiprising||1.0.8|
|Thủy Chiến - 12 Vs 12||com.vtcmobile.thuychien||1.2.0|
|頂上三国 - 本格RPGバトル||com.yileweb.mgcsgja.android||1.0.5|