
Google has removed 210 Android apps with a combined total of 150 million installs that allowed attackers to display ads, install apps, and open web sites once a device had been started.
All of these apps were utilizing a malicious software development kit called “RXDrioder” that allowed attackers to display advertisements and open URLs on a Android device when the device was booted or the user unlocks the screen. It is not known if the app developers knowingly utilized this malicious library or were tricked into doing so.
According to a report shared by Check Point with BleepingComputer, these malware apps are being dubbed ‘SimBad’ as the apps were mostly driving and racing simulator games such as Snow Heavy Excavator Simulator, Ambulance Rescue Driving, and Water Surfing Car Stunt. The apps had a combined total of over 150 million installs, with the app named “Snow Heavy Excavator Simulator” having over 10 million installs.

When installed, the apps would register themselves so that they would automatically launch after a device is booted or a user has unlocked the phone. Once launched, the apps would start displaying ads on the affected devices, which was did not go unnoticed by users.

Some security vendors are detecting apps with these malicious libraries as “Android.AirPush”.
Connects to C2 server on startup
When started, the adware apps would connect to a command and control server located at www.addroider.com in order to receive commands to execute as illustrated in the attack flow below.

The command and control server would then respond with a command to execute. In the image below, you can see a list of available commands that can be sent to the app, which include removing the app’s icon from the launcher to make it harder to remove, show a notification, start background ads, open URLs, and open the Google Play Store and 9Apps to promote and download other apps.

Not much is known about the addroider.com domain utilized by this malicious SDK as it is registered under GoDaddy and has privacy enabled. When visiting the page it is titled Addroider and only displays a login prompt as shown below.

While the apps were previously being used to display ads, Check Point has stated that the actors could have also used it for spear phishing attempts utilizing its ability to open web pages.
“‘SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications,” Check Point stated in their report. “With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.”
Check Point discovered these malicious apps on January 28th, 2019 and reported them to Google. The researchers received confirmation that Google removed the apps on February 22nd, 2019.
This campaign, though, shows how it is important that Android users read an app’s reviews before installing it. As the reviews for many of these apps indicated that something was not right about them and that a common concern was ads, it should have alerted users that these were apps to avoid.