Mobile Ad Firms Spotted Serving Up Malware Posing As Google Play Apps

Malware creators have historically found creative ways to distribute their malicious wares across PC networks, and now they’ve turned their attention to mobile. In 2013, for example, there were a few high-profile cases where security firms like Palo Alto Networks and Lookout discovered how malware was being distributed through rogue mobile ad networks to Android devices. Today, security firm Avast has spotted another handful of ad firms distributing malware to mobile devices – but this time, the ads are pointing users to malware that are posing as “real” Google Play applications.

Combined, the three ad firms’ servers have around 185,000 views daily, which may make this a smaller scale malware distribution effort compared with the “BadNews” malware Lookout had found which had been downloaded somewhere between 2 million to 9 million times (assuming the malware-laden app downloads Lookout tracked were on the higher end of that range.) However, it may be larger than the Dplug malware Palo Alto discovered. The firm had collected just seven samples of it, mostly in Asia, at the time it detailed the malware’s methodology in a blog post last summer that was picked up by a number of tech press outlets.

185,000 views daily is not a whole lot in the grand scheme of things, and, of course everyone who is presented with the malicious ads are not becoming victims. Still, the most visited malicious subdomain Avast tracked had around 400,000 views in the last quarter, and likely a large number of those visitors were then affected by the malware. So this could be a fairly sizable distribution – and a good payday for the malware authors, even if it’s small in comparison to the number of Android users in the world.


The three firms hosting and distributing the malware are masquerading as legitimate mobile ad networks, (Spain), (London), and (Amsterdam). Of those, Espabit seems to be the largest, accounting for 150,000 views per day. It’s also the one serving up the subdomain that attracted the 400,000 views over the past few months.

App users are directed to pornographic sites via the ads displayed in their apps, Avast researcher Filip Chytry explains. Those sites then display a download for the malware-laden apps.

What’s interesting here is that the apps are not actually hosted on Google Play but everything about the page users are shown makes it appear that they are. The website looks just like a Google Play app download page, using the same color scheme, navigation, layout, and more. A green “download” button can be tapped to install the rogue app on the user’s device. The only hint that the app is not actually on Google Play comes from the domain displayed in the address bar. For example, instead of “…”, it may read “…”


Most of the apps links lead to pornography or fake apps, but because they’re not actually hosted on Google Play, the malware authors have designed official-looking pages that explain how to configure your phone to allow for their installation.

Users are told how to go into their Settings in order to make a change that permits them to install apps from “Unknown sources” – meaning anything that’s not Google Play.


While you may think that protecting yourself is as simple as leaving that Setting alone, many Android users have already turned this off in order to install legitimate apps – like those from Amazon.

Just yesterday, for example, it came out that Google had booted Amazon’s main shopping app from Google Play’s search results after Amazon made changes that introduced an app store within its app as well as other integrations with its Instant Video service. Google didn’t care for the competition, and forced Amazon to submit a new app without the app store section to Google Play instead. But Amazon’s earlier app, as well as its standalone Amazon Appstore app, are still available for download outside of Google Play – users just have to go into their settings and allow apps from “Unknown sources.” Uh-oh.

Given that a number of Android users will opt to disable this security setting in order to access the better version of Amazon’s app or browse the Amazon Appstore from their Android phone or tablet, that puts them at risk of stumbling across malware like this in the future and becoming victims themselves. They won’t even have to configure anything on their phone, just fall for the social engineering tricks.

The apps Avast encountered generate revenue for the creators by sending premium SMS while also stealing personal information from users. Each premium SMS only costs $0.25 and is sent three times a week, Avast notes. The amount stolen is small on purpose – people aren’t likely to notice if their phone bill is $3 higher that month. Over the course of the year, though, that’s $36 per victim. Multiply that by the number of victims  – think about the 400,000 potential victims in the past quarter for one app alone – and you’re looking at a payday in the multi-millions.

Many mobile carriers block premium SMS, including those in the U.S., U.K. and Brazil, so this is less a concern for users here. But Android’s worldwide footprint is massive, so even if the victims represent a small drop in the bucket in terms of Android’s total install base, there could still be a considerable number of affected individuals when something like this comes about.