Security researchers from mobile security provider Lookout has uncovered a nasty malware concealed in about 238 Google approved apps on the Play Store that renders Android devices almost unable.
According to the security researchers, the adware which is known as BeiTaAd, is a plugin that it found to be installed on 238 apps with over 400 million combined download on the Play Store. These apps are published in China by Shanghai-based CooTek.
Lookout explained that apps usually act normal when first installed. Then, anywhere between 24 hours and 14 days, the obfuscated BeiTaAd plugin would begin to deliver out-of-apps ads. These ads are aggressive. They appear on lock screens and trigger audio and video even when the phone is asleep.
The mobile security researchers said that CooTek did a good job to conceal the plugin. Early versions of the apps had the plugin as an unencrypted dex file named beita.renc inside the assets/components directory. However, the developers renamed the file so as to make it difficult for users to know that the file was responsible for executing code.
"My wife is having the exact same issue," one person reported in November in an Android forum (via Ars Technica). "This will bring up random ads in the middle of phone calls, when her alarm clock goes off or anytime she uses any other function on her phone. We are unable to find any other information on this. It is extremely annoying and almost her phone unusable."
Lookout explained that the app developers renamed the plugin to icon-icomoom-gemini.renc and then encrypted it using the Advanced Encryption Standard. The developers then obsfuscated the decryption key within the code through a series of functions buried in a package named .com.android.utils.hades.sdk.
The CooTek developer made it even more difficult in later versions when they used a third-party library called StringFog which uses XOR and base64-based encoding to conceal BeiTa string in the files.
"All of the applications that we analyzed that contained the BeiTaAd plugin were published by CooTek, and all CooTek apps we analyzed contained the plugin," Kristina Balaam, a security intelligence engineer at LookOut said. "The developer also went to great lengths to hide the plugin's presence in the app, suggesting that they may have been aware of the problematic nature of this SDK. However, we cannot attribute BeiTa to Cook with complete certainty."
Lookout reported the CooTek apps to Google, and the apps were either removed from the Play Store or updated without the BeiTaAd code.
You can visit Lookout's post to view the complete of the apps.