Google’s whack-a-mole with Android adware continues

Why can’t Google put a stop to adware on their official Android app marketplace? The analysis by Trend Micro researchers of a Trojan Android ad library dubbed Xavier tells the story.

The Xavier ad library is third stage of evolution of the AdDown family, which was initially able to install apps behind the user’s back, but now limits itself to harvesting device information, the user’s email address, and showing ads.

Google Play adware

The various AdDown incarnations are distributed to many app developers through an advertising SDK, and it was thus inevitable that they would end up being included in many apps.

Indeed, the offending ad library has been spotted and flagged many times before, and continued to pollute apps on Google Play for years.

How the Xavier ad library works

The main reason the Xavier ad library is able to escape detection by Google Play’s Bouncer malware prevention system are the dynamic detection evasion mechanisms it employs.

The library checks whether it is being run in a sandbox, an emulator (testing environment), and if the user’s email address contains a string (e.g. “test”, “review”, “qaplay”, etc.) that might indicate that it’s being used by a tester. If it detects any of this, it stops working.

The library also encrypts all its constant strings to make static detection and manual analysis more difficult, and encrypts traffic to its C&C server.

Is Google doing enough to keep Google Play users safe?

Trend Micro researchers say that they have detected more than 800 applications with the Xavier ad library on Google Play, and that some 70+ have already been removed the ad library from their APK package offered for download on Google Play.

This clean up effort is laudable but not nearly enough, as other similar libraries are spotted in apps almost daily.

For example, just last week SophosLabs researchers have flagged another third-party library (MarsDae) that makes Android apps repeatedly pop up annoying ads. They’ve also found 47 apps on Google Play that include it, and have been downloaded by millions of users.

The list of the offending apps can be found here, and according to the researchers, Google Play has removed some of them, but many still remain.

Difficult to remove adware

“The library supports Android 2.3 through Android 6, along with Samsung, Huawei, Meizu, Mi and Nexus devices. Its primary function is to keep the adware alive even if the user attempts a force close or memory scrub,” the researchers noted.

The MarsDae library makes it almost impossible to stop the onslaught of ads, as it uses a clever approach of creating new processes that check each other’s created files so that they can restart the ad-showing capability in case one of the processes has been stopped.

Users are advised to be careful what apps they download and not to consider themselves safe by default if they only stick to Google Play.

Using an Android security solution to block potentially malicious apps is a good idea, and so it checking for bad user reviews before installing apps. Personally, I also avoid free apps that show ads, as obviously many developers use advertising SDKs, but don’t check if they are malicious.

Don't miss