An Android app component meant to provide inter-user chatting capabilities has been opening websites and clicking on ads in phones' background.

According to a report published last week, this malicious component is part of a software development kit (SDK) offered by a Chinese company named 呀呀云 (Ya Ya Yun).

Android app developers use the Ya Ya Yun SDK to add an instant messaging (chat) feature to games they develop. The Android game will use the SDK for the chat features and will free up developers to cater to other facets of the game.

SDK downloaded malicious components disguised as images

This software design practice of using an SDK to offload various app features to remote services is dangerous as it gives a remote company control over your app.

In the case of Android game developers who chose the Ya Ya Yun SDK, this trust was misplaced, according to Russian antivirus vendor Dr.Web.

The company's mobile security researchers said they've spotted apps containing this SDK on the official Google Play Store. These apps, according to Dr.Web, where downloading other components hidden inside benign images, like the ones below:

Images used to hide malicious Ya Ya Yun components

The Ya Ya Yun SDK was downloading these images, unpacking the malicious component found inside, and running it on users' devices. For now, the components it downloaded only opened an URL inside a hidden browser and clicked on ads for the crook's profit, but experts say this could very easily be changed to many other malicious actions.

"Virus writers are capable of creating additional Trojan modules that will perform other malicious actions. For example, display phishing windows to steal login credentials, show advertising, and also covertly download and install applications," Dr.Web experts said in a report published last week.

Over 4.5 million users impacted by Android.RemoteCode.127 trojan

They found this malicious behavior in 27 Android games available through the Play Store, installed on more than 4.5 million devices. Experts say they notified Google of the malicious applications.

Eight days later after Dr.Web's report went public, Bleeping Computer checked most of the apps reported to have exhibited this behavior, and most are still on the Play Store.

In past similar cases, Google often deactivates apps containing malicious SDKs until the developer removes the malicious component. While some of these apps are still available today, they may not contain the adware behavior anymore. Since we can't tell, it may be a good idea to avoid the following apps for the foreseeable future.

Program name Application package name Version
Hero Mission com.dodjoy.yxsm.global 1.8
Era of Arcania com.games37.eoa 2.2.5
Clash of Civilizations com.tapenjoy.warx 0.11.1
Sword and Magic com.UE.JYMF&hl 1.0.0
خاتم التنين - Dragon Ring (For Egypt) com.reedgame.ljeg 1.0.0
perang pahlawan com.baiduyn.indonesiamyth 1.1400.2.0
樂舞 - 超人氣3D戀愛跳舞手遊 com.baplay.love 1.0.2
Fleet Glory com.entertainment.mfgen.android 1.5.1
Kıyamet Kombat Arena com.esportshooting.fps.thekillbox.tr 1.1.4
Love Dance com.fitfun.cubizone.love 1.1.2
Never Find Me - 8v8 real-time casual game com.gemstone.neverfindme 1.0.12
惡靈退散-JK女生の穿越冒險 com.ghosttuisan.android 0.1.7
King of Warship: National Hero com.herogames.gplay.kowglo 1.5.0
King of Warship:Sail and Shoot com.herogames.gplay.kowsea 1.5.0
狂暴之翼-2017年度最具人氣及最佳對戰手遊 com.icantw.wings 0.2.8
武動九天 com.indie.wdjt.ft1 1.0.5
武動九天 com.indie.wdjt.ft2 1.0.7
Royal flush com.jiahe.jian.hjths 2.0.0.2
Sword and Magic com.linecorp.LGSAMTH Depends on a device model
Gumballs & Dungeons:Roguelike RPG Dungeon crawler com.qc.mgden.android 0.41.171020.09-1.8.6
Soul Awakening com.sa.xueqing.en 1.1.0
Warship Rising - 10 vs 10 Real-Time Esport Battle com.sixwaves.warshiprising 1.0.8
Thủy Chiến - 12 Vs 12 com.vtcmobile.thuychien 1.2.0
Dance Together music.party.together 1.1.0
頂上三国 - 本格RPGバトル com.yileweb.mgcsgja.android 1.0.5
靈魂撕裂 com.moloong.wjhj.tw 1.1.0
Star Legends com.dr.xjlh1 1.0.6

Related Articles:

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Trojanized App In Google Play Steals Bank Customers' Euros

Beware of "Unofficial" Sites Pushing Notepad2 Adware Bundles

November Android Security Update Fixes Critical Bugs, Drops Media Library

Google’s Android Apps Are No Longer Free for European Smartphone Makers