Up to 150 million users might have downloaded and installed an Android app on their phones that contained a new strain of adware named SimBad.
The adware was disguised as an advertising kit named RXDrioder that all the impacted apps had used to control how ads were being shown to their users.
But according to a report shared with ZDNet today by Israeli cyber-security firm Check Point, the RXDrioder makers were secretly using their kit's code to hide malware inside other apps and hijack devices to show ads for their own profit.
"We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer," Check Point said.
In total, the company identified the malicious advertising kit inside 210 Android apps that had been uploaded on the official Google Play Store, all of which were downloaded by close to 150 million users.
Most of the tainted apps were racing or shooter games.
Check Point says that the RXDrioder kit contained a lot of sneaky features that don't have any place in an advertising software developer kit (SDK).
For example, RXDrioder could hide the icons of an app, a tactic most often found in Android malware, which uses it for the sole purpose of hiding malicious apps from view and making it harder for users to uninstall them.
But despite this being a sneaky feature, Check Point says that SimBad's operators primarily abused legitimate advertising SDK features for their private profit.
The SimBad crew had the ability to send instructions to all the apps that integrated the RXDrioder SDK and control them behind their real developers' backs.
Image: Check PointCheck Point says crooks primarily abused the SDK's ability to overlay ads, abusing it to show their own ads. However, they could also force a user's browser to open at a specific URL to show additional ads, or even open the Play Store and 9Apps app stores to specific apps, in case they wanted to participate in pay-per-install app monetization schemes.
But these weren't all the features that Check Point unearthed in the adware's code. SimBad could also show custom notifications, and even install new apps from a designated server behind the user's back.
At the time of writing, all the apps that used the RXDrioder SDK and were vulnerable to being controlled by the SimBad crew, have been taken down.
"Google responded quickly," Jonathan Shimonovich, R&D Group Manager at Check Point, told ZDNet via email. "It took them a couple of weeks to review the apps and conduct their own investigation until [the apps were] finally removed."
A list containing the names and package codes of all the 210 SimBad-affected apps will be available in Check Point's report, which will go live later today at this link.
SimBad's scale is massive, and the adware now joins the ranks of similarly bad Play Store adware infestations, such as Chamois, Googligan, and HummingBad.
For what's it worth, Shimonovich told ZDNet that Check Point hadn't identified any connections between SimBad and the other adware strains, meaning this is most likely a new threat.