Up to 150 million Android users have potentially been exposed to rogue malware via as many as 206 applications previously found on the Google Play Store, Check Point Research reports. Designated SimBad due to the disproportionate number of simulation-style games impacted, the malware was part of an ad campaign tool in an “RXDrioder” SDK offered through ‘addroider[.]com’. Researchers believe that most, if not all of the developers who were using RXDroider were unaware of its deficiencies.
The functionality of SimBad can be summarized under three separate categories, including phishing, the ability to show advertisements, and exposure to secondary apps. The latter of those centered around exposing the user to apps via automated, unsolicited downloading or showing out-of-scope ads for those apps. It could also send users to the Play Store or other markets where infected apps were available.
The first of the three capabilities applied more directly to SimBad’s ability to send users to malicious websites, including websites that would prompt sign-in and collect user data from forms.
Each of the over 200 applications spotted by researchers has since been removed from the Google Play Store via Google's policies but some of those were extremely popular. The combined total of installations across all apps affected comes out to just short of 150 million downloads, equating to up to that many people having been impacted.
Among the apps affected, most were gaming titles leaning heavily toward the simulation genre such as Snow Heavy Excavator Simulator, Hoverboard Racing, Real Tractor Farming Simulator, or Car Parking Challenge. The first of the titles listed here was marked at over ten million downloads while the remaining apps were downloaded at least five million times.
Several other apps matched those figures too with dozens more being download at least one million times, including some that weren't simulation games at all. Apps in the personalization and utility categories such as Volumen Booster, My name on Live Wallpaper, Deleted Photo Recovery, Secret screen recorder, Phone Finder, or Face Beauty Makeup were downloaded at least 500,000 times and upwards of a million times.
SimBad did contain one other trick up its sleeves to prevent removal, making matters worse for those who may have had an app install secondary services. Namely, it contains the capability to hide app icons from the app launcher so that users can't find and remove a malicious app after it's installed.
That means that despite the fact that a complete list of apps impacted by this malware can be found at the source, it may not be immediately apparent that a user has been affected.
Regardless, keeping a lookout for apps on the list and any other applications that remain on their handsets despite being removed from the Google Play Store is a good place for users to start. Policies of the app market place don't necessarily extend to removing the affected app from a device and protective applications don't always catch misbehaving applications either. If Google has removed an application from its market, there is generally a good reason that action was taken.
Malware can be found just about anywhere, so due diligence is still the best preventative measure a user can take.