238 Google Play apps with >440 million installs made phones nearly unusable

4

If the prevalence of abusive Google Play apps has left you numb, this latest report is for you. Carefully concealed adware installed in Google-approved apps with more than 440 million installations was so aggressive that it rendered mobile devices nearly unusable, researchers from mobile security provider Lookout said Tuesday.

BeiTaAd, as the adware is known, is a plugin that Lookout says it found hidden in emojis keyboard TouchPal and 237 other applications, all of which were published by Shanghai, China-based CooTek. Together, the 238 unique apps had a combined 440 million installs. Once installed, the apps initially behaved normally. Then, after a delay of anywhere between 24 hours and 14 days, the obfuscated BeiTaAd plugin would begin delivering what are known as out-of-app ads. These ads appeared on users’ lock screens and triggered audio and video at seemingly random times or even when a phone was asleep.

“My wife is having the exact same issue,” one person reported in November in this thread discussing BeiTaAd. “This will bring up random ads in the middle of phone calls, when her alarm clock goes off or anytime she uses any other function on her phone. We are unable to find any other information on this. It is extremely annoying and almost [makes] her phone unusable.”

Lookout’s post said the developers responsible for the 238 apps went to great lengths to conceal the plugin. Early versions of the apps incorporated it as an unencrypted dex file named beita.renc inside the assets/components directory. The renaming had the effect of making it harder for users to know the file was responsible for executing code.

Later, app developers renamed the plugin to the more opaque icon-icomoon-gemini.renc and encrypted it using the Advanced Encryption Standard. The developers then obfuscated the decryption key within the code through a series of functions buried in a package named com.android.utils.hades.sdk. In later versions still, developers used a third-party library called StringFog, which used XOR- and base64-based encoding to hide every instance of the string “BeiTa” in the files.

“All of the applications we analyzed that contained the BeiTaAd plugin were published by CooTek, and all CooTek apps we analyzed contained the plugin,” Kristina Balaam, a security intelligence engineer at Lookout, wrote in an email. “The developer also went to great lengths to hide the plugin’s presence in the app, suggesting that they may have been aware of the problematic nature of this SDK. However, we cannot attribute BeiTa to CooTek with complete certainty.”

Ars has asked representatives from both CooTek and Google to comment. This post will be updated if either or both respond.

Busted!

Lookout reported the behavior of BeiTaAd to Google, and the apps responsible were subsequently either removed from Play or updated to remove the abusive plugin. There’s no indication that CooTek will be banned or otherwise punished for breaching Play terms of service on such a mass scale and for taking the steps it did to hide the violation. The remaining 237 CooTek apps that embedded the plugin are listed at the end of Lookout’s post.

The above-linked forum discussing BeiTaAd documents that the plugin has been menacing users for at least seven months. Google’s inability to detect the abuse, either initially when the apps were submitted or later as those apps made millions of phones nearly unusable, speaks to the company’s inability-or possibly its lack of sufficient motivation-to police its marketplace against flagrant abuse. The number of installs affected demonstrates that even widely used apps have the potential to be potentially malicious.

Until Google shows signs of getting the problem of malicious and abusive apps under control, Android users should remain skeptical of Google Play and download apps sparingly.

Update: In a statement sent 10 hours after this post went live, a CooTek representative wrote: “The module mentioned in the report was one of the monetization SDK in our previous versions, and it was not intended for adware purposes. Before the report, we already noticed the issue and disabled the advertising functions in the SDK in question several months ago. We further removed the entire module in question in last month.”