440 million Android users installed applications with an aggressive advertising plugin

Lookout specialists found that more than 440,000,000 users downloaded and installed 238 applications from the official Google Play catalog, infected with the BeiTaPlugin advertising library.

Since the researchers urgently notified Google of their discovery, and the company contacted application’s developers, 230 problematic applications have already been removed from the catalog or updated to safe versions that do not contain BeiTaAd.

“BeiTaAd is a well-obfuscated advertising plugin hidden within a number of popular applications in Google Play. The plugin forcibly displays ads on the user’s lock screen, triggers video and audio advertisements even while the phone is asleep, and displays out-of-app ads that interfere with a user’s interaction with other applications on their device”, — argue Lookout experts.

BeiTaPlugin SDK existed since the beginning of 2018, and previously it worked as originally intended: it provided application developers with a simple tool for displaying advertisements within their applications.

Developers trusted the SDK because it was created by the famous Chinese company CooTek, which used it as an advertising component for its own TouchPal application (a keyboard that was installed over 100,000,000 times).

Read also: In Google Play Store found nearly half a hundred of malware programs that mask under fitness applications

BeiTaPlugin began to abuse its options only in the spring of this year. In February-March, developers began to notice that the number of advertisements and pop-up windows increased, and they appeared unexpectedly, outside of running applications, and blocked access to the screen and phone functions.

Lookout experts write that it is almost impossible to use a device because of such an advertisement: it makes it difficult to answer calls, work with applications, and so on.

Apparently, authors of BeiTaPlugin understood that such behavior of their SDK would not be perceived too well and tried to disguise aggressive advertising practices by obfuscating a code. In addition, applied delay in displaying any advertisements for 24 hours after the first launch of an infected application, making it difficult to detect the exact source of advertisements.

Users are advised to update such applications or remove them altogether from their devices.

Source: https://blog.lookout.com