Bill Brenner, security researcher, Sophos
Bill Brenner, security researcher, Sophos

Data is the online currency of the 21st century. We are continuously accessing online services for free in exchange for giving up contact details like an email address. Likewise many of us accept advertisements constantly popping up on our phones so we can play the latest addictive game for free. There's nothing wrong with any of this when the advertisements are safe and we're informed about how and where our data is being used and stored, but what about when we don't know where our data is going?

Android's Google Play store is the default app store for over a billion Android users. While Android security vulnerabilities are most often associated with apps downloaded from third-party app markets, the adware on some of the apps on Google's own store have been revealed as a potential threat to your data, according to recent research from SophosLabs.

Adware is typically seen as a nuisance that doesn't do any real harm. However, some are doing more than serving up targeted ads. They can collect the user's personal information, including email addresses, and send them to a remote server. Specifically, the research identified an adware library known as Android XavirAd, and its information-stealing component as Andr/Infostl-BK.

What's actually happening?

XavirAd is currently found in more than 50 Google Play apps, some of which have more than a million downloads. For all the impacted apps combined, the total download number is about 55 million. One app that the research found to have been impacted was the “Add Text on a Photo” app.

When apps like these are installed, users will get a full screen advertisement popping up at regular intervals – even when the app is closed. Unsurprisingly, in this instance users were quickly irritated by this feature and voiced their discontent by posting negative reviews of the “Add Text on a Photo” app on the Google Play store. One user wrote, “Too many ads. Might be a good app but the ads are VERY annoying. They pop up even when you are not in {in the app} so I uninstalled.”

But XavirAd is capable of doing worse than just popping up annoying ads. Once the app is started, the XavirAd library contacts its server and gets the following configuration code:

The server then responds with advertisement settings including full screen ad intervals, and saves them in the users shared preferences. Upon further research by SophosLabs it appeared that the domain api-restlet.com registered for this purpose was at least a year and a half old, with origins in Vietnam.

After this, it downloads another .dex file from cloud.api-restlet.com:

And this is where it gets bad for your data privacy: the downloaded .dex file will then collect the following information from the users phone:

  • User's email address for Google account
  • List of apps installed
  • IMEI identifier and android_id
  • Screen resolution
  • Manufacturer, model, brand, OS versio
  • SIM operator
  • App installation source 

It then encrypts the data and sends it on to a web address.

How does XavirAd stay undetected?

XavirAd works very hard to hide itself from security inspections. The strings it uses are all encrypted. Each class has its own decryption routine in the class constructor. Although the algorithm remains the same, the keys are different in each class.

It also uses anti-sandbox technology to hide from dynamic analysis. It stops the malicious behaviour it finds it's running in a testing environment. How? Well first it checks the emulator:

It then checks the following strings for the emulator:

It also checks the user's email address for another safety net that it's not run by a tester. If the email address contains the following strings, it will stop the action:

  • @google.com
  • @facebook.com
  • Tested
  • Test
  • Gplay
  • Gaplay
  • Review

What about privacy?

As already mentioned the collection of personal data is something we often consent to in exchange for services. The issue here is that in the privacy policy of the app it specifies that it does NOT collect or store any personal information:

“Privacy policy: 1.1 We DO NOT collect, store or use any personal information while you visit, download or upgrade our website or our products, excepting the personal information that you submit to us when you create a user account, send an error report or participate in online surveys and other activities” 

Clearly for this app its privacy policy is not accurate, potentially fooling hundreds if not millions of users.

The value of personal data is becoming increasingly valuable, and unfortunately not everyone is as open and honest about its collection as they should be. With millions of apps on the market and more under development, it's difficult to detect threats like this. However, one way to be safe is to ensure you have the right antivirus apps installed and take security seriously.  

To stay one step ahead, specifically when it comes to XavirAd though, here's a full list of the Google Play apps that contain the adware so you can avoid them:

Contributed by Bill Brenner, security researcher, Sophos

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.