Android Malware Campaigns SimBad Adware and Operation Sheep Reportedly Installed 250 Million Times

Researchers at Check Point reported two Android malware campaigns that have more than 250 million combined installs: SimBad and Operation Sheep. The two campaigns rely on malware embedded in their software development kits (SDKs). The researchers found SimBad (detected by Trend Micro as AndroidOS_SimBad.HRX), an Android adware, in 206 applications uploaded on Google Play that have been collectively downloaded nearly 150 million times. Operation Sheep (AndroidOS_SheepLeak.HRX), which illicitly collects contact information on affected devices, were found on 12 applications with 111 million downloads. The researchers have already disclosed their findings to Google; Google has since removed the SimBad-infected apps from the Play Store.

 [Trend Micro Research: Google Play Apps Drop Anubis Banking Malware, Use Motion-Based Evasion Tactics]

SimBad Adware can Expose Affected Devices to Other Threats

SimBad sports various capabilities that include removing its icon from the launcher. This is a known technique that makes it difficult for the user to uninstall or delete malicious Android apps. SimBad also displays ads in the background, and can open browsers and load a specified domain/URL, as well as app stores and third-party marketplaces.

The researchers note that SimBad’s capability to open any given URL could expose users to phishing. SimBad’s authors can further capitalize on their malware by opening the app stores installed on the affected device to install additional apps. This tactic resembles another operation that Trend Micro uncovered in late January, involving various malicious apps that posed as beauty camera apps. Apart from constantly showing ads (and configuring which ads are displayed), the apps also redirected users to phishing pages. 

[READ: Turning Your Data Against You: Cybercrime’s New Norm?]

Operation Sheep Can Steal Data Stored on External Storage

Operation Sheep stole information via a data-stealing functionality integrated in the application’s SDK. Named SWAnalytics, it checks if the device reboots or launches an affected app, and then uploads the phone’s contact list to specified servers. Given the kind of data SWAnalytics harvests, Operation Sheep appears to be concentrated in China so far.

Operation Sheep, according to the researchers, is the first real-life campaign to exploit the Man-in-the-Disk flaw. SWAnalytics scans an affected device’s external storage for data of interest, such as QQ login information, as well as the device’s model and brand, installed applications, geolocation, and running processes. These kinds of information can then be monetized by selling them to advertisers and retailers that have referral programs — or even to cybercriminals or fraudsters.

SimBad and Operation Sheep reflect the trends in the current mobile threat landscape, where seemingly innocuous applications are used as springboards for ad fraud. In 2018, for instance, Trend Micro’s mobile app reputation service (MARS) identified 1,088 Android applications embedded with SDKs used in a massive ad fraud scheme that cost businesses at least US$75 million in losses. These applications, claimed as educational, leisure, and utility apps, had combined installs of over 120 million. Other scammers passed their fraudulent apps off as device utility/optimization, wallpaper, and entertainment apps, using various techniques to monetize ad displays.

[READ: A Practical Guide to Mobile Safety]

The mobile platform’s ubiquity makes it a trove of data that cybercriminals can monetize. SDK providers that illicitly sell personal data, for instance, are expected to shift to using stealthier techniques like click fraud and overlay attacks. For users, this highlights the importance of adopting best practices for securing mobile devices: Beware of unsolicited messages, avoid connecting to unsecure networks, and limit the permissions and information given to apps. Businesses should do the same, particularly when implementing Bring-Your-Own-Device (BYOD) policies.