By Jessie Huang (Mobile Threats Analyst)
We recently saw two barcode reader apps in Google Play, together downloaded more than a million times, that started showing unusual behavior (Trend Micro detects these as AndroidOS_HiddenAd.HRXJA). This includes behavior that can be seen even when the user is not actively using the phones; the video below shows an example:
Video 1. Flashing Adware Page (click to enlarge)
What happened here? What caused the screen to flash? Let’s find the answer by examining the code.
As we noted earlier, the app pretends to be a barcode reader. This part of the app actually works as advertised. However, when run, the app also starts a background service and uses a received notification to keep the service running in the background. This service is disguised using the package name “com.facebook” even though it has nothing to do with Facebook.
Figure 1. Malicious code disguised using Facebook’s name
The service uses a timer to show ads every 15 minutes. It uses what appears to be random data to both control this behavior and hide it from unsuspecting eyes.
Figure 2. Timer to show ads
Figures 3 and 4. Adware configuration traffic
The “random data” is received from the command-and-control server and contains configuration information, ad IDs, and other commands from the said server. It may open specified content in the phone’s browser or start an activity with the barcode reader google found using fraud technique
