Author Topic: Avast Mobile Security doesn't detect adware  (Read 15299 times)

0 Members and 1 Guest are viewing this topic.

Offline andrei.mankevich

  • Newbie
  • *
  • Posts: 1
Avast Mobile Security doesn't detect adware
« on: January 23, 2015, 07:56:19 PM »
Hi,

I've found a dozen of apps in Google Play with same malicious ad sdk integrated. Each time you unlock your device the app will open ad url in background or show interstitial ad over the screen.
Here is the video showing the ads: https://www.youtube.com/watch?v=UkRAu2xcuTU
By some reason Avast Mobile Security doesn't treat these apps as suspicious or dangerous, although it is rather easy to detect apps with this ad sdk, they have same components declared in manifest.

Here is few apps which have this adware inside:
https://play.google.com/store/apps/details?id=com.cardgame.durak
https://play.google.com/store/apps/details?id=com.konka.russian.history
https://play.google.com/store/apps/details?id=com.iwolt.iqtest

Ads are not shown directly after install, app keeps silence for some time. You need to follow several steps to see it:
- Install the app
- Launch it once
- Reboot the device (at the beggining app starts malicious code only after reboot)
- Change system date on device to 7 day in future or further
- Reboot it again
Now each time you unlock your device the app will open ad url in background or show interstitial ad over the screen.

I think Avast Mobile Security should warn about apps with this ad sdk installed. These apps can be harmful because besides showing ads sdk has some extra features like changing wi-fi dns server, changing browser homepage and creating shortcuts.

As I've already spent some time on decompiling apk files and investigating this sdk I'll add more technical details from my claim to Google Play team:
Quote
If you are interested here is more technical explanation why I'm sure that this particular app is responsible for these ads and other violations.
When I press power button on my device and unlock it I see the following lines in Logcat:

01-31 02:15:13.303: D/Microlog(3020): Microlog 1669935:[DEBUG]-Open url external. Start with intent: Intent { act=android.intent.action.VIEW dat=http://brodero.com/v2/b/rs?agid=af70e9985-a73c-46d6-a24e-a7e112748cf7&vid=3ad864d4-643d-4f55-8dbd-ae76ebf08bbc&bgid=ba6195268-bfaa-451c-8736-aba9b7449306&u=http://terigal.ru/7utq44kvjob6n2rq47av5t9122twv5ob511x1pxpj4q&dyn=xK9dZt_ZDOxeAvvtziYEB32B-KaPEp3_gYayyDZDVS0&sig=eqrEar8HUBLiNU87e0xioQ&ts=1421968510077&m=0 flg=0x10000000 cmp=com.android.chrome/com.google.android.apps.chrome.Main }
01-31 02:15:13.306: I/ActivityManager(734): START u0 {act=android.intent.action.VIEW dat=http://brodero.com/v2/b/rs?agid=af70e9985-a73c-46d6-a24e-a7e112748cf7&vid=3ad864d4-643d-4f55-8dbd-ae76ebf08bbc&bgid=ba6195268-bfaa-451c-8736-aba9b7449306&u=http://terigal.ru/7utq44kvjob6n2rq47av5t9122twv5ob511x1pxpj4q&dyn=xK9dZt_ZDOxeAvvtziYEB32B-KaPEp3_gYayyDZDVS0&sig=eqrEar8HUBLiNU87e0xioQ&ts=1421968510077&m=0 flg=0x10000000 cmp=com.android.chrome/com.google.android.apps.chrome.Main} from uid 10065 on display 0

So browser url intent is started from process with PID 3020. When I execute commands 'adb shell' and then 'ps | grep 3020' in order to see which process has this PID. I get the following output:

shell@hammerhead:/ $ ps | grep 3020
ps | grep 3020
u0_a65    3020  195   1534568 66696 ffffffff 00000000 S com.cardgame.durak

So package name is 'com.cardgame.durak'. After some investigation of APK file of this game I've found the most interesting components declared in manifest:
- Broadcast receiver 'mobi.dash.overapp.DisplayCheckRebootReceiver' registered to respond to BOOT_COMPLETED action. This receiver is responsible for waiting, app can wait for weeks and stay invisible
- Service 'mobi.dash.overapp.DisplayCheckService' which is responsible for showing ads and receiving commands from remote server.
There also few other 'mobi.dash.*" components but these two are the most important.

APK file contains config file for 'mobi.dash' ad sdk. It is called 'ads_settings.json' and it is stored under 'res\raw' folder. It configures how long app should wait before showing ads (e. g. 'overappStartDelaySeconds' property, in this particular case it has 86400 value, which means one day, 24 hours * 60 minutes * 60 seconds).
Also APK file contains malicious code inside package 'mobi.dash.*'. For example there is class called 'mobi.dash.homepage.AdsHomepageUtils' which can change browser homepage and 'mobi.dash.shortcuts.AdsShortcutUtils' which creates launcher shortcuts when command server sends appropriate message.

Offline Janek9

  • Avast team
  • Avast team
  • *
  • Posts: 11
Re: Avast Mobile Security doesn't detect adware
« Reply #1 on: January 26, 2015, 04:13:38 PM »
Hello, thanks very much for information, Avast viruslab is checking it out!

Offline Filip

  • Newbie
  • *
  • Posts: 7
Re: Avast Mobile Security doesn't detect adware
« Reply #2 on: January 26, 2015, 04:21:02 PM »
Hello,
thank you so much for pointing this out! It will be covered in next update.

Best regards,

Filip

Offline tlise

  • Newbie
  • *
  • Posts: 1
Re: Avast Mobile Security doesn't detect adware
« Reply #3 on: February 06, 2015, 11:38:12 AM »
The fact that someone actually thought to point it out to Avast, should be rewarded I think. After having the same problem and Google only coming up with it was push notifications, and no help from the play store, it has helped seeing action taken :)

Offline svehlak

  • Sr. Member
  • ****
  • Posts: 291
Re: Avast Mobile Security doesn't detect adware
« Reply #4 on: February 17, 2015, 02:25:05 PM »
And we are not declining this idea, but one can not expect much :-)