Malware Displaying Porn Ads Discovered in Game Apps on Google Play

Research By: Elena Root & Bogdan Melnykov

Check Point Researchers have revealed a new and nasty malicious code on Google Play Store that hides itself inside around 60 game apps, several of which are intended to be used by children. According to Google Play’s data, the apps has so far been downloaded between 3 million and 7 million times.

How It Works

Dubbed ‘AdultSwine’, these malicious apps wreak havoc in three possible ways:

1. Displaying ads from the web that are often highly inappropriate and pornographic.
2. Attempting to trick users into installing fake ‘security apps’.
3. Inducing users to register to premium services at the user’s expense.

Apart from these current three main activities, the malicious code can use its infrastructure to broaden its goals to other purposes, such as credential theft.

Figure 1: AdultSwine operation flow

Once the malicious app is installed on the device, it waits for a boot to occur or for a user to unlock his screen, upon which it initiates its malicious activity.

Illegitimate and Inappropriate Ads

First, the malicious code contacts its Command and Control server (C&C) to report the successful installation, sends data about the infected device and then receives the configurations, which determine its course of operation. These configurations instruct it on whether to hide its icon (to encumber removal), which ads to display, over which apps and on what terms. It is interesting to note that the server however forbids ads to be displayed over certain apps such as browsers and social networks, in order to avoid suspicion.

The malicious code then verifies certain conditions regarding the device’s status and checks which app is currently running on screen. Once all its terms are met, it  begins to display the illegitimate ads outside of the app’s context. If it is embedded inside a web browser app the ads will be displayed inside that browser, if not they will be displayed inside a designated web view.

As for the ads being displayed, they come from two main sources; the first is that of the main ad providers, which forbid such illegitimate display of their ads. The second is the malicious code’s own ad library, which contains ads of an offensive nature, including pornographic ads. All these are displayed to children while playing the game that the app is masquerading as.

Below is a mild example of the ads presented and a comment from one of the victims, whose son had an unfortunate experience.

Figure 2: Examples of ad displayed and user reviews on Google Play

Scareware – Deceptive App Install Tactics

Another course of action the malicious app pursues is scaring users into installing unnecessary and even harmful “security” apps.

First, the malicious app displays an ad that claims the user’s device is infected by a virus. Should the user press the notification of “Remove Virus Now” he is redirected to an app in the Google Play Store with a somewhat questionable connection to virus removal. An experienced eye could easily foresee this tactic, though a child playing a game app is easy prey for such nefarious apps.

Figure 3 – Left image: Scareware Ad Displayed
Centre image: The redirect ‘anti-virus’ app in Google Play.
Right image: User reviews in Google Play

Registering To Premium Services

Another technique used by the malicious app is registering to premium services and charging the victim’s account for fraudulent premium services they did not request to send or receive. In a similar way to the scareware tactic seen above, the malicious app initially displays a pop-up ad, which attempts to persuade the user to click through.

This time however, the ad claims that the user is entitled to win an iPhone by simply answering four short questions. Should the user answer them, the malicious code informs the user that he has been successful, and asks him to enter his phone number to receive the prize. Once entered, the malicious code then uses this number to register to premium services.

The flow is presented in the images below.

                                     Notification of Winning the iPhone            Request to Enter Phone Number

A Comprehensive Threat

Although for now this malicious app seems to be a nasty nuisance, and most certainly damaging on both an emotional and financial level, it nevertheless also has a potentially much wider range of malicious activities that it can pursue, all relying on the same common concept.

The malicious code simply receives a target link from its Command and Control server and displays it to the user. While in some cases this link is merely an advertisement, it could also lead to whatever social engineering scheme the hacker has in mind.

Indeed, these plots continue to be effective even today, especially when they originate in apps downloaded from trusted sources such as Google Play.

Appendix 1 – List of App Names

Appendix 2 – List of SHA256 hashes