If you’ve been put off by the proliferation of annoying Google Play apps, this latest report is for you. Carefully hidden adware installed in Google-approved applications with more than 440 million installations is so aggressive that it makes mobile devices almost invulnerable, researchers from the security provider Lookout Mobile said Tuesday.
BeiTaAd, as adware is known, is a plugin that Lookout says it found hidden in the TouchPal keyboard emojis and 237 other apps, all published by Shanghai, China-based CooTek. In total, 238 unique applications have a combined 440 million installations. Once installed, the apps initially behave normally. Then, after waiting anywhere between 24 hours and 14 days, the obfuscated BeiTaAd plugin will start delivering what are known as out-of-app ads. These ads appear on users’ lock screen and trigger audio and video at random times or even when a phone sleeps.
“My wife has the exact same issue,” one person reported in November it follows the word BeiTaAd. “This will bring you random ads between phone calls, when your alarm clock goes off or whenever you use another service on your phone. We can’t find any other information on this. ) your phone is unusable.”
The Lookout post says that the developers responsible for the 238 apps went to great lengths to hide the plugin. The initial versions of the apps are included as unedited dex file named beita.renc inside the assets/components the directory Renaming has the effect of executing so that users know that the file is responsible for executing the code.
Later, the app developer renamed the plugin to the more opaque ones icon-icomoon-gemini.renc and has encrypted it using the Advanced Encryption Standard. Developers then hide the decryption key within the code through a series of functions buried in the named package com.android.utils.hades.sdk. In later versions, developers use a third-party library called StringFog, which uses XOR– we had base64– source code to store all instances of the string “BeiTa” in files.
“All analyzed applications containing the BeiTaAd plugin are published by CooTek, and all analyzed CooTek applications contain the plugin,” Kristina Balaam, a security intelligence engineer at Lookout, wrote in an email affect. “The developers also went to great lengths to hide the appearance of the plugin in the app, suggesting that they may have known the nature of the problem of this SDK. However, we cannot say BeiTa to CooTek with absolute certainty.”
Ars has asked representatives from both CooTek and Google for comment. This post will be updated if either or both respond.
Busted!
Lookout reports the behavior of BeiTaAd to Google, and the apps responsible are then either removed from Play or updated to remove the offending plugin. There is no indication that CooTek will be banned or otherwise penalized for violating Play’s terms of service on such a large scale and for taking steps to prevent the violation. The remaining 237 CooTek applications that install the plugin are listed at the end Lookout Post.
The forum linked above discusses BeiTaAd’s documentation that the plugin has been plaguing users for at least seven months. Google’s inability to detect the exploit, either initially when the apps were released or later as those apps rendered millions of phones nearly inoperable, speaks to the company’s incompetence—or possibly a lack of motivation. enough—to police your marketplace against irrational abuse. The number of affected installations shows that even widely used applications have the potential to be malicious.
Until Google shows signs of getting the problem of malware and malicious apps under control, Android users should be skeptical of Google Play and download more apps.
Update: In a statement sent 10 hours after this post went live, a CooTek representative wrote: “The module mentioned in the report is one of the monetization SDK in our previous versions, and is not intended for adware purposes. Before the report, we already. noticed the issue and disabled the advertising services in the SDK in question a few months ago. We also removed the entire module in question last month.”