A Collection of Ads Behind Your Favorite Game App With More Than 6 Million Downloads

– By Trustlook Research Team

A popular Chinese game with more than 6 million downloads secretly promotes other apps using a well-protected and widely used advertisement library.

Package name: com.xyz.ddz

Chinese App name: 欢乐逗地主

Download count: 6,000,000+

Icon:icon

Trustlook has discovered a serious adware intrusion within one of the most popular game apps in China. Immediately after installation, the app behaves normally, in which a user can play the game without restrictions or advertisements.After approximately 4 hours , various types of pop up large screen advertisements (i.e. adware) are displayed, even when the app is not in use.

The app is able to display this adware by importing two ad libraries. These libraries are implemented using native methods, including communicating with the Host App when prompted by the ad. These two ad libraries are widely used, but many anti-virus vendors are not able to detect them. All of the strings in these ad libraries are encrypted, and together these ad libraries adopt at least 8 methods to display ads, including:

  • To display the ad in the middle of the launcher
  • To display the installation notification (which can not be closed) in the middle of the launcher
  • To display the ad in the middle of the browser
  • To display the ad banner at the top of the browser
  • To display the ad banner at the bottom of the browser
  • To display the ad banner at the top of the input method
  • To display a floating ad banner with the Angry Bird icon
  • To dreate a promoted app icon in the launcher

One of the most popular implementations of this adware is an ad in the middle of the launcher. If you click the ad, then one of the following three APKs will be downloaded:

  • Qihoo mobile assistant APK (when you click the first Ad screen)
  • Qihoo browser APK (when you click the second Ad screen)
  • Jiuyou APK (when you click the third Ad screen)

ad1

 

ad2

 

After you have downloaded the APK file, a pop up window will notify you to install the downloaded APK file. If you click the Cancel button, every 30 minutes or when you attempt to unlock your phone, the same pop up window will be displayed asking if you would like to install the APK. And this pop up doesn’t have a “close” button or feature. It’s a never ending loop that creates a trap for the user.

qihoo_notify12

 

If you click the “Enter” button(which the app forces because there is no other option to bypass the action), it will pop up this window:

qihoo_notify2

 

When you open a browser, such as Google Chrome, the ads will be displayed at the top, bottom, or middle of the page. A message also shows up in the notification bar of your device.

browser1

browser2

browser3

browser4

 

And the ad displayed in the notification bar.

notify

Ad displayed in the browser:

browser5

 

browser6

 

If you click the banner ad that is displayed on the bottom of a browser window, the following window containing three app icons will appear.

8

 

In addition to the pop up ad displaying the three app icons, a floating banner icon, which is the same in appearance as the Angry bird icon below, will appear on your home screen.

9

 

If you click the Angry Birds icon, it will pop up a window with a list of apps, like this:

10

 

11

 

After the app has been installed for 5 hours, it will create a shortcut to the Qihoo mobile assistant on the launcher screen, no matter if you close the ad or not. Sometimes the ad will pop up suddenly and erratically. 

15

 

16

 

Unfortunately, this shortcut is not a real shortcut that points to the Qihoo mobile assistant app. Instead it points to the Qihoo mobile assistant APK file, which located in the sdcard in the path:

/sdcard/Download/oO_zziS7cMk=/uLRFttrgta+JdOk+ycQ

/0Mdf4fxaQpU1MNb+F6O3YquZI+c= The game didn’t install the Qihoo 360 app, but if you click this icon, it will begin to install the Qihoo mobile assistant app.

17

 

After further analysis of this app, we discovered that the advertisement function is implemented in this module: com.xyz.ddz.gauxsw.

pkg

Most strings are encrypted in the function of com.xyz.ddz.gauxsw.d.a.a.a():

19

 

The encryption routine first decodes the string (the first parameter of this function) in base64 format, then xor it with every byte in the second parameter (“7b120431-5374-40d1-84d6-624980271ac8”):

20 21

 

22

Trustlook created a tool to decrypt it, which revealed the following strings:

decrypt_

 

24

 

From the analysis we know that the ad is displayed by the com.yt.uulib and  youtou.ad.api SDK, which are two popular adware libraries.

These two ad libraries are able to display ads in two ways:

  • Floating banner
  • Fixed banner

We found that the app used the self-protect function to protect itself and to evade anti-virus vendors. It runs 3 processes (it runs one first, which then forks into two more). When you close any of them, it will restart and run the 3 processes again:

proc1

We also found that this app uses the native library to notify the main app to activate the the native library file. It is named daemon_exe, is a .so file, and placed in:

/data/data/com.xyz.ddz/files/jklm/VTcJhWmfUI6zvrYHQ0kO63_GpIHWtI2t/IL2msjinFbNh3jOA/RwR-jYJzNcY=/vR48I2IAv5GNfwRrMoe0zA==/daemon_exe

The main app will check if the user’s phone is rooted. If it is, the main app will load the daemon_exe into system as the root user:

proc2

After the analysis of this native library file, we found that its main function is to communicate with the main app by local tcp connection (127.0.0.1:5037(0x13AD)) and then send the broadcast to it for waking up and displaying the ad.

proc4

system

 

After the execution, the native library will execute this command as the root user:

/system/bin/am broadcast -a com.uu.action.wakeup –es start_bc_send_id $ro.build.version.sdk(var)$ –include-stopped-packages –user 0

This command will send a broadcast, whose action is com.uu.action.wakeup and it will take the key-value string pair start_bc_send_id”:$ro.build.version.sdk(var)$ and the phone’s sdk num and the –include-stopped-packages as the parameter.

From the manifest, we know that this broadcast could be received by com.xyz.ddz.gauxsw.a.e.a:

manifest

At the time of this release, the Trustlook Mobile Security app and Blue Frog Mobile Security app teams have detected the malicious behaviors of the sample being studied. 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s