Hidden adware found in over two hundred Android apps

• Security researchers from Lookout discovered the adware in 238 Android applications which cumulatively have over 440 million installations.
• Known as ‘BeiTaPlugin’, the highly-obfuscated ad plugin was found to interfere with the device’s functionality.

A hidden ad plugin present in 238 Android apps has been uncovered by security experts. Researchers from security firm Lookout came across this malicious plugin in these apps which were collectively downloaded over 440 million times. Known as ‘BeiTaPlugin’, the adware was highly obfuscated to cloak itself in the apps.

Upon notifying Google, the tech giant has removed the plugin from all the affected apps.

Worth noting

• Lookout’s researchers indicate that BeiTaPlugin was refactored multiple times after its release in 2018.
• A recent version of the plugin was renamed to icon-icomoon-gemini.renc and was encrypted with AES. Furthermore, the plugin also makes use of a third-party library called StringFog for more obfuscation.
• As a result, BeiTaPlugin is never installed separately on the device and could only be removed by uninstalling the affected application.
• The apps that came with this plugin were published by CooTek. The company is known for releasing popular apps such as TouchPal.
• All affected apps are reported to be either removed from Google Play or updated to versions without BeiTaPlugin.

Devices rendered inoperable

In a blog, Kristina Balaam, Security Intelligence Engineer at Lookout, described how the plugin made devices almost inoperable. “While out-of-app ads are not particularly novel, those served by this plugin render the phones nearly unusable. Users have reported being unable to answer calls or interact with other apps, due to the persistent and pervasive nature of the ads displayed,” wrote Balaam.

“These ads do not immediately bombard the user once the offending application is installed, but become visible at least 24 hours after the application is launched,” Balaam further added.