Unwanted Android AdDisplay software specializes in circumventing Google Bouncer checks
One of the most common ways of distributing malware for Android through the Google Play app store is disguising them as a legitimate popular application. We have already written about such examples as the fake Dubsmash applications and the Android / TrojanDropper.Mapin malware . These applications have compromised tens of thousands of Android device owners. To ensure the safety of users of this mobile OS, ESET analysts track the emergence of new applications on Google Play for the placement of malicious or unwanted software.
Another malicious application that Google Play users have downloaded over 200 thousand times is AdDisplay. It was available for download for more than a month and was disguised as other applications called Cheats for Pou , Guide For SubWay and Cheats For Subway . Applications have specialized in displaying ads to the user at regular intervals.
This kind of applications that specialize in displaying ads to the user are quite common in the case of Android. At the same time, there is a limit in the behavior of such applications when our anti-virus products begin to respond to them. The above-mentioned unwanted applications (Potential Unwanted Application, PUA) contain additional mechanisms for their self-defense and the obstacle to removal from the system; they also use special techniques for circumventing Google Bouncer. That is why they are detected by our product as undesirable.
')
It is obvious that at that moment, when the user understands the true purpose of the application installed by him, he will want to delete it. However, it will be difficult to perform such an operation, since initially the application requests the user to activate the device administrator mode.
Fig. One of the unwanted cheats for Pou apps on Google Play.
Fig. Unwanted app "Cheats For Subway" in the Google Play Store.
Fig. One of the unwanted Guide For SubWay apps on Google Play.
All of these unwanted apps have been removed from Google Play after we notified Google. ESET anti-virus products detect unwanted software like Android / AdDisplay.Cheastom .
After activating the device’s admin mode application, it will try to determine its execution environment: the user's device, emulator, or execution on Google servers (Bouner). The anti-Bouncer method it uses is that the application gets the IP address of the device and then checks it on the WHOIS service. In the event that the information returned by the service contains the word Google, the application assumes that it is launched in the Bouncer environment. At the same time, the application disables the performance of its main function - the display of advertising. At the same time, the user remains with the capabilities originally declared by the application.
In the cheats for Pou and Cheats for Subway applications that we found, not only undesirable functions are similar, but also those that were declared by the developers themselves, i.e., providing the user with cheats for games. They also did not bother to provide these programs with appropriate cheats and the cheats for Pou application shows cheats for Subway Surfers. Already on this basis, it can be argued that the provision of cheats to the user is not the main goal of the developers.
Fig. Part of the list of cheats displayed by the application.
In the case of its launch on the user's device, applications will show full-screen ads every 30 or 40 minutes. In the case of running the application in the emulator environment, advertising will still be displayed after the device is rebooted, and the interval for displaying full-screen advertising will be 45 minutes.
Fig. Examples of unwanted ads displayed by applications.
After an elapsed time period, the application checks the availability of an internet connection. If the connection is available, it contacts the remote server of the attackers for instructions on displaying the advertisement.
Fig. Application interaction with a remote server.
Removing Android / AdDisplay.Cheastom applications from the device is a problematic task, as many of the users have already noted in the comments to them on Google Play. This is because the application requests the device administrator mode when it is installed. It can also hide its launch icon in Android. To remove such an application from the system, the user needs to deactivate the device administrator mode for him.
If you use ESET Mobile Security antivirus software on your device, it will be able to perform the operation of deleting unwanted software instead of the user, but first you need to activate the anti-virus detection function in the advanced settings menu (Antivirus -> Advanced Settings -> Detect Potential Unwanted Applications).
Fig. Unwanted software detection feature in ESET Mobile Security.
If there is no ESET Mobile Security installed on the device, the user can manually remove the applications using the steps below.
Fig. Steps to be taken by the user to remove Android / AdDisplay.Cheastom.
After deactivating the administrator mode, applications can be removed via Android settings.
Conclusion
The above applications are unwanted software type and are designed to display full-screen advertisements. They disguise themselves as applications that are of considerable size and provide cheat codes from games to their users. Applications contain special features to bypass the security mechanism of the Bouncer Play app store.
Unwanted features of applications are not activated if they are launched in the emulator or on one of the servers owned by Google. Applications also receive instructions from a remote C & C server that can instruct them to display ads. These potentially unwanted applications under the general name AdDisplay are examples of applications that are very annoying to users with their behavior and those that are difficult to remove from the user's device.
Another malicious application that Google Play users have downloaded over 200 thousand times is AdDisplay. It was available for download for more than a month and was disguised as other applications called Cheats for Pou , Guide For SubWay and Cheats For Subway . Applications have specialized in displaying ads to the user at regular intervals.
This kind of applications that specialize in displaying ads to the user are quite common in the case of Android. At the same time, there is a limit in the behavior of such applications when our anti-virus products begin to respond to them. The above-mentioned unwanted applications (Potential Unwanted Application, PUA) contain additional mechanisms for their self-defense and the obstacle to removal from the system; they also use special techniques for circumventing Google Bouncer. That is why they are detected by our product as undesirable.
')
It is obvious that at that moment, when the user understands the true purpose of the application installed by him, he will want to delete it. However, it will be difficult to perform such an operation, since initially the application requests the user to activate the device administrator mode.
Fig. One of the unwanted cheats for Pou apps on Google Play.
Fig. Unwanted app "Cheats For Subway" in the Google Play Store.
Fig. One of the unwanted Guide For SubWay apps on Google Play.
All of these unwanted apps have been removed from Google Play after we notified Google. ESET anti-virus products detect unwanted software like Android / AdDisplay.Cheastom .
After activating the device’s admin mode application, it will try to determine its execution environment: the user's device, emulator, or execution on Google servers (Bouner). The anti-Bouncer method it uses is that the application gets the IP address of the device and then checks it on the WHOIS service. In the event that the information returned by the service contains the word Google, the application assumes that it is launched in the Bouncer environment. At the same time, the application disables the performance of its main function - the display of advertising. At the same time, the user remains with the capabilities originally declared by the application.
In the cheats for Pou and Cheats for Subway applications that we found, not only undesirable functions are similar, but also those that were declared by the developers themselves, i.e., providing the user with cheats for games. They also did not bother to provide these programs with appropriate cheats and the cheats for Pou application shows cheats for Subway Surfers. Already on this basis, it can be argued that the provision of cheats to the user is not the main goal of the developers.
Fig. Part of the list of cheats displayed by the application.
In the case of its launch on the user's device, applications will show full-screen ads every 30 or 40 minutes. In the case of running the application in the emulator environment, advertising will still be displayed after the device is rebooted, and the interval for displaying full-screen advertising will be 45 minutes.
Fig. Examples of unwanted ads displayed by applications.
After an elapsed time period, the application checks the availability of an internet connection. If the connection is available, it contacts the remote server of the attackers for instructions on displaying the advertisement.
Fig. Application interaction with a remote server.
Removing Android / AdDisplay.Cheastom applications from the device is a problematic task, as many of the users have already noted in the comments to them on Google Play. This is because the application requests the device administrator mode when it is installed. It can also hide its launch icon in Android. To remove such an application from the system, the user needs to deactivate the device administrator mode for him.
If you use ESET Mobile Security antivirus software on your device, it will be able to perform the operation of deleting unwanted software instead of the user, but first you need to activate the anti-virus detection function in the advanced settings menu (Antivirus -> Advanced Settings -> Detect Potential Unwanted Applications).
Fig. Unwanted software detection feature in ESET Mobile Security.
If there is no ESET Mobile Security installed on the device, the user can manually remove the applications using the steps below.
Fig. Steps to be taken by the user to remove Android / AdDisplay.Cheastom.
After deactivating the administrator mode, applications can be removed via Android settings.
Conclusion
The above applications are unwanted software type and are designed to display full-screen advertisements. They disguise themselves as applications that are of considerable size and provide cheat codes from games to their users. Applications contain special features to bypass the security mechanism of the Bouncer Play app store.
Unwanted features of applications are not activated if they are launched in the emulator or on one of the servers owned by Google. Applications also receive instructions from a remote C & C server that can instruct them to display ads. These potentially unwanted applications under the general name AdDisplay are examples of applications that are very annoying to users with their behavior and those that are difficult to remove from the user's device.
Source: https://habr.com/ru/post/268451/
All Articles