Seventy-five Android apps, available for download from the official Google Play Store, had to remove a malicious ad library that secretly contained an adware called AdDown that Trend Micro researchers discovered two years ago.
This adware appeared in January of 2015, and in addition to displaying ads to infected users, it also had the ability to collect personal data from its victims, and at one point it could even secretly install various applications without knowing it user.
Over time, Trend Micro reports that adware was detected in over 800 Android apps uploaded to the Play Store, usually as small utilities, such as wallpaper converters, photo editors, and lens.
After an in-depth analysis of the applications infected by AdDown over the past two years, the researchers were able to identify three basic stages of its evolution, called: Joymobile, Nativedown, and Xavier.
The first stage of adware development was the simplest version of it, but it was also the one with the most annoying features that came equipped with a method for installing third-party applications behind the user's back.
The second step removes this installation method, leaving only one user requiring approval, but it has improved to other features such as comms encryption, internal string obfuscation, and user-friendly filtering to better personalize ads.
The third and final stage of AdDown was first detected in 2016 in September and while it had generally improved features over the second stage, support was also added to detect and avoid the sandbox environment.
This version also removed the ability to install third-party applications, probably because the adware writer realized that adware would be more likely to remain unnoticed by showing ads occasionally and not forcing apps to smother the user in ads.
Experts say that over the past two years, millions of users seem to have downloaded and installed applications infected with one of these three AdDown adware versions. The Trend Micro researcher Mr. Ecular Xu said that AdDown was distributed to various application developers as an SDK ad, which explains why it was found in so many applications. Xu has published a list of previously infected apps but has now been removed by AdDown from their code:
PackageName | Downloads | Date Remove Xavier |
com.ijksoftware.pdfcreator.camscanner | 10000-50000 | 2017/5/13 |
com.writeonpicture.textphoto | 100000-500000 | 2017/5/13 |
com.inateam.cooler.master | 500000-1000000 | 2017/5/13 |
com.equalizer.volumebooster | 1000000-5000000 | 2017/5/13 |
com.styletext.font.textonphotos | 100000-500000 | 2017/5/14 |
com.easytool.screenoff | 100000-500000 | 2017/5/13 |
com.inateam.pdfreader | 100000-500000 | 2017/5/13 |
com.placideagles.volumebooster | 500000-1000000 | 2017/5/13 |
com.allinOne.openquickly | 1000000-5000000 | 2017/5/13 |
com.inateam.ziprar | 100000-500000 | 2017/5/13 |
com.coramobile.speedbooster.cleaner | 1000000-5000000 | 2017/5/13 |
com.coramobile.security.antivirus | 1000000-5000000 | 2017/5/12 |
com.cleaner.memorybooster.ramoptimizer | 1000000-5000000 | 2017/5/13 |
com.coramobile.powerbattery.batterysaver | 100000-500000 | 2017/5/12 |
com.pdfviewer.pdfreader.edit | 500000-1000000 | 2017/5/13 |
com.cutterringtone.mp3cutter | 100000-500000 | 2017/5/14 |
com.coramobile.phonecooler.cpucoolermaster | 1000000-5000000 | 2017/5/12 |
com.autolockscreen.taptaplock | 50000-100000 | 2017/5/13 |
com.easycapture.screenshot | 50000-100000 | 2017/5/14 |
com.unziptool.rarextractor | 50000-100000 | 2016/11/18 |
com.convertmp3.videoconverter | 50000-100000 | 2017/5/13 |
com.lollicontact.caller | 50000-100000 | 2017/5/13 |
com.fattys.automaticcallrecording | 100000-500000 | 2017/5/13 |
com.ponosnocelleh.lolipoptheme | 50000-100000 | 2017/5/13 |
com.ponosnocelleh.threedtheme | 100000-500000 | 2017/5/13 |
com.mothrrmobile.volume | 100000-500000 | 2017/5/13 |
com.greenapp.voicerecorder | 10000-50000 | 2017/5/13 |
com.sunny.text2photo | 100000-500000 | 2017/5/13 |
com.fingerprint.lockscreen.prank | 100000-500000 | 2017/5/13 |
com.keeprr.cutpastephoto | 100000-500000 | 2017/5/13 |
com.billowy.equalizer.bassbooster | 100000-500000 | 2017/5/13 |
com.fattysgui.beautyfont | 100000-500000 | 2017/5/13 |
com.aecenraw.emojionphoto | 50000-100000 | 2017/5/13 |
com.appworksui.myfonts | 100000-500000 | 2017/5/13 |
com.forecast.weatherlive.weather | 10000-50000 | 2017/5/13 |
com.finder.photo.imagessearch | 10000-50000 | 2017/5/13 |
com.galaxygame.fighterwar | 100000-500000 | 2017/5/13 |
com.djayfree.mp3djmix | 100000-500000 | 2017/5/13 |
com.qrscan.qrreader.qrcode | 10000-50000 | 2017/5/13 |
com.yamagame.stormfighter | 100000-500000 | 2017/5/13 |
com.minfiapps.screenshost_capture | 100000-500000 | 2017/5/13 |
com.photogrid.frame.photocollage | 10000-50000 | 2017/5/13 |
com.greenapp.slowmotion | 100000-500000 | 2017/5/13 |
net.camspecial.clonecamera | 500000-1000000 | 2017/5/13 |
com.rartool.superextract | 100000-500000 | 2017/5/13 |
com.fattystudioringtone.mp3cutter | 50000-100000 | 2017/5/13 |
com.aepictur.textphoto | 100000-500000 | 2017/5/13 |
com.live3d.wallpaperlite | 100000-500000 | 2017/5/13 |
com.xatedses.changehaircoloreye | 100000-500000 | 2017/5/13 |
com.podhengy.haircolor | 100000-500000 | 2017/5/13 |
com.mobilescreen.capture | 100000-500000 | 2017/5/13 |
com.keeprr.textonphoto | 100000-500000 | 2017/5/13 |
com.mobiletool.rootchecker | 100000-500000 | 2017/5/13 |
com.galaxy.strikeforce | 1000000-5000000 | 2017/5/13 |
com.podhengy.photoapp | 50000-100000 | 2017/5/13 |
com.albumpro.videoslide.galleryphoto | 50000-100000 | 2017/5/13 |
com.gpsonline.phonetracker | 500000-1000000 | 2017/5/13 |
com.maxmitek.livewallpaperaquariumfishfish | 50000-100000 | 2017/5/13 |
com.maxmitek.beachwallpaper | 50000-100000 | 2017/5/13 |
com.xatedsesmobile.picturesketch | 100000-500000 | 2017/5/13 |
com.efflicnetwork.ringtonecutter | 50000-100000 | 2017/5/13 |
com.gigmobile.booster | 100000-500000 | 2017/5/13 |
com.ponosnocelleh.launchers7 | 100000-500000 | 2017/5/13 |
com.magicvideo.editor.reversevideo | 50000-100000 | 2017/5/12 |
com.azurersweet.djvirtual | 500000-1000000 | 2017/5/12 |
com.sevideo.slideshow.videoeditor | 1000000-5000000 | 2017/5/12 |
com.fourapps.musicplayer.videoplayer | 100000-500000 | 2017/5/12 |
com.slowmotion.videoslow | 500000-1000000 | 2017/5/12 |
com.fourvideo.videoshow.videoslide | 1000000-5000000 | 2017/5/12 |
com.azurersweet.app2sdandremover | 100000-500000 | 2017/5/12 |
com.azurer.vpnproxy.supervpn | 500000-1000000 | 2017/5/12 |
com.azurersweet.launcher | 50000-100000 | 2017/5/12 |
com.appgpfaq.prankcrackscreen | 500000-1000000 | 2017/5/12 |
com.photoshow.videoeditor.slide | 100000-500000 | 2017/5/12 |
com.azurersweet.beautymakeup | 100000-500000 | 2017/5/12 |