Avast WEBforum

Avast Products => Avast Mobile Apps => Avast Mobile Security for Android => Topic started by: andrei.mankevich on January 23, 2015, 07:56:19 PM

Title: Avast Mobile Security doesn't detect adware
Post by: andrei.mankevich on January 23, 2015, 07:56:19 PM

I've found a dozen of apps in Google Play with same malicious ad sdk integrated. Each time you unlock your device the app will open ad url in background or show interstitial ad over the screen.
Here is the video showing the ads: https://www.youtube.com/watch?v=UkRAu2xcuTU
By some reason Avast Mobile Security doesn't treat these apps as suspicious or dangerous, although it is rather easy to detect apps with this ad sdk, they have same components declared in manifest.

Here is few apps which have this adware inside:

Ads are not shown directly after install, app keeps silence for some time. You need to follow several steps to see it:
- Install the app
- Launch it once
- Reboot the device (at the beggining app starts malicious code only after reboot)
- Change system date on device to 7 day in future or further
- Reboot it again
Now each time you unlock your device the app will open ad url in background or show interstitial ad over the screen.

I think Avast Mobile Security should warn about apps with this ad sdk installed. These apps can be harmful because besides showing ads sdk has some extra features like changing wi-fi dns server, changing browser homepage and creating shortcuts.

As I've already spent some time on decompiling apk files and investigating this sdk I'll add more technical details from my claim to Google Play team:
If you are interested here is more technical explanation why I'm sure that this particular app is responsible for these ads and other violations.
When I press power button on my device and unlock it I see the following lines in Logcat:

01-31 02:15:13.303: D/Microlog(3020): Microlog 1669935:[DEBUG]-Open url external. Start with intent: Intent { act=android.intent.action.VIEW dat=http://brodero.com/v2/b/rs?agid=af70e9985-a73c-46d6-a24e-a7e112748cf7&vid=3ad864d4-643d-4f55-8dbd-ae76ebf08bbc&bgid=ba6195268-bfaa-451c-8736-aba9b7449306&u=http://terigal.ru/7utq44kvjob6n2rq47av5t9122twv5ob511x1pxpj4q&dyn=xK9dZt_ZDOxeAvvtziYEB32B-KaPEp3_gYayyDZDVS0&sig=eqrEar8HUBLiNU87e0xioQ&ts=1421968510077&m=0 flg=0x10000000 cmp=com.android.chrome/com.google.android.apps.chrome.Main }
01-31 02:15:13.306: I/ActivityManager(734): START u0 {act=android.intent.action.VIEW dat=http://brodero.com/v2/b/rs?agid=af70e9985-a73c-46d6-a24e-a7e112748cf7&vid=3ad864d4-643d-4f55-8dbd-ae76ebf08bbc&bgid=ba6195268-bfaa-451c-8736-aba9b7449306&u=http://terigal.ru/7utq44kvjob6n2rq47av5t9122twv5ob511x1pxpj4q&dyn=xK9dZt_ZDOxeAvvtziYEB32B-KaPEp3_gYayyDZDVS0&sig=eqrEar8HUBLiNU87e0xioQ&ts=1421968510077&m=0 flg=0x10000000 cmp=com.android.chrome/com.google.android.apps.chrome.Main} from uid 10065 on display 0

So browser url intent is started from process with PID 3020. When I execute commands 'adb shell' and then 'ps | grep 3020' in order to see which process has this PID. I get the following output:

shell@hammerhead:/ $ ps | grep 3020
ps | grep 3020
u0_a65    3020  195   1534568 66696 ffffffff 00000000 S com.cardgame.durak

So package name is 'com.cardgame.durak'. After some investigation of APK file of this game I've found the most interesting components declared in manifest:
- Broadcast receiver 'mobi.dash.overapp.DisplayCheckRebootReceiver' registered to respond to BOOT_COMPLETED action. This receiver is responsible for waiting, app can wait for weeks and stay invisible
- Service 'mobi.dash.overapp.DisplayCheckService' which is responsible for showing ads and receiving commands from remote server.
There also few other 'mobi.dash.*" components but these two are the most important.

APK file contains config file for 'mobi.dash' ad sdk. It is called 'ads_settings.json' and it is stored under 'res\raw' folder. It configures how long app should wait before showing ads (e. g. 'overappStartDelaySeconds' property, in this particular case it has 86400 value, which means one day, 24 hours * 60 minutes * 60 seconds).
Also APK file contains malicious code inside package 'mobi.dash.*'. For example there is class called 'mobi.dash.homepage.AdsHomepageUtils' which can change browser homepage and 'mobi.dash.shortcuts.AdsShortcutUtils' which creates launcher shortcuts when command server sends appropriate message.
Title: Re: Avast Mobile Security doesn't detect adware
Post by: Janek9 on January 26, 2015, 04:13:38 PM
Hello, thanks very much for information, Avast viruslab is checking it out!
Title: Re: Avast Mobile Security doesn't detect adware
Post by: Filip on January 26, 2015, 04:21:02 PM
thank you so much for pointing this out! It will be covered in next update.

Best regards,

Title: Re: Avast Mobile Security doesn't detect adware
Post by: tlise on February 06, 2015, 11:38:12 AM
The fact that someone actually thought to point it out to Avast, should be rewarded I think. After having the same problem and Google only coming up with it was push notifications, and no help from the play store, it has helped seeing action taken :)
Title: Re: Avast Mobile Security doesn't detect adware
Post by: svehlak on February 17, 2015, 02:25:05 PM
And we are not declining this idea, but one can not expect much :-)