Researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted.
SimBad disguises itself as ads, it is hidden in the RXDrioder software development kit (SDK) used for advertising purposes and monetization generation. Every application developed using the tainted SDK includes the malicious code.
“The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘
“The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications
The domain ‘
The SimBad malware is also able to redirect Android users to compromised phishing websites and to download more malicious applications either from the Play Store or from a remote server.
Once an Android user downloads and installs an infected application, the SimBad malware registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents. In this way, the malware could perform actions once the booting phase has been completed, while the unaware user is using his device.
Once installed, SimBad malware will connect to the Command and Control (C&C) server, and receives a command to perform. It removes its icon from the launcher, thus making it harder for the user to uninstall the malicious app, at the same time it starts to display background ads and open a browser with a given URL to generate fraudulent revenue without raising suspicion.
“‘SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.” continues the expert.
“With the capability to open market applications, such as Google Play and 9Apps, with a specific keyword search or even a single application’s page, the actor can gain exposure for other threat actors and increase his profits. The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.”
According to Check Point, Most of the infected applications are simulator games, followed by photo editors and wallpapers applications. Below the list of top 10 apps infected with SimBad malware:
The full list of malware-infected apps is available here.