Android adware plugin crippled smartphones, say researchers

BeiTaPlugin adware in more than 200 apps in the Google Play Store effectively bricked smartphones

A hidden advertising plug-in with millions of installs is crippling mobile devices, according to security researchers.

Cyber security firm Lookout said the highly-obfuscated advertising plug-in "obscures the screen with forcibly displayed ads and triggers video and audio, even while the phone is asleep".

The plug-in also displays out-of-app ads, which affects a user's interaction with other application on their device.

Some people have experienced difficulty answering calls and using other apps 'due to the persistent and pervasive nature of the ads'

Named BeiTaPlugin, it has been discovered in 238 "unique" Android apps and is capable of rendering mobile devices nearly unusable.

Kristina Balaam, security intelligence engineer at Lookout, said: "Cumulatively, these applications amount to over 440 million installations, making this family unique in its prevalence and the level of obfuscation used to hide the plugin's existence," said Balaam.

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast

"While the vast majority of free mobile applications monetise their apps through Ad SDKs or plugins, the persistence of the advertisements in this particular family and the lengths to which the developer went to hide its existence make the BeiTaPlugin concerning."

Although out-of-app ads are common, the ones in this plugin can have a highly detrimental effect on mobile devices.

Balaam explained how some people have experienced difficulty even answering calls and using other apps "due to the persistent and pervasive nature of the ads displayed".

She continued: "These ads do not immediately bombard the user once the offending application is installed, but become visible at least 24 hours after the application is launched.

"For example, obtrusive ads did not present themselves until two weeks after the application, Smart Scan (com.qrcode.barcode.reader.scanner.free), had been launched on a Lookout test device.

"Users have documented similar experiences on an Android forum discussion spanning several months, as well as in reviews left on the applications' Google Play pages."

The persistence of the advertisements in this particular family and the lengths to which the developer went to hide its existence make the BeiTaPlugin concerning

Since its release last year, the app has been re-factored several times. "Earlier versions of applications that include the BeiTa plugin do so as an unencrypted dex file, beita.rec, within the assets/components directory of the package," explained Balaam.

"In more recent iterations, the BeiTa plugin is renamed to the innocuous, icon-icomoon-gemini.renc, and is encrypted using Advanced Encryption Standard (AES). Icomoon is an application that provides vector icon packs for designer and developer use.

"One Icomoon-compatible icon pack is named Gemini. Malware authors commonly employ this technique of renaming executable files to other file types (pdf, jpg, txt) to hide malicious assets in plain sight."

She added: "In later versions of the application, increased encryption and obfuscation techniques are applied to hide the plugin's existence."

After identifying the malicious plugin, Lookout reported it to Google and it has since been removed from all the affected apps.

"As of May 23rd, 2019, the 230+ affected applications on Google Play have either been removed or updated to versions without the BeiTa Plugin," Balaam concluded.

Computing's Cloud Excellence Awards return on the 19th September 2019, recognising the very best of cloud computing in the UK across end users, suppliers and products. Who is the Cloud Architect of the Year? What is the Best Cloud Development Platform? And who is the Cloud Entrepreneur of the Year. Entry is FREE - the deadline is Friday 28th June.