If the prevalence of abusive Google Play apps has left you numb, this latest report is for you. Carefully concealed adware installed in Google-approved apps with more than 440 million installations was so aggressive
that it rendered mobile devices nearly unusable, researchers from mobile security provider Lookout said Tuesday.
BeiTaAd, as the adware is known, is a plugin that Lookout says it found hidden in emojis keyboard TouchPal and 237 other applications, all of which were published by Shanghai, China-based CooTek. Together, the 238 unique apps had a combined 440 million installs. Once installed, the apps initially behaved normally. Then, after a delay of anywhere between 24 hours and 14 days, the obfuscated BeiTaAd plugin would begin delivering what are known as out-of-app ads. These ads appeared on users' lock screens and triggered audio and video at seemingly random times or even when a phone was asleep.
Lookout's post said the developers responsible for the 238 apps went to great lengths to conceal the plugin. Early versions of the apps incorporated it as an unencrypted dex file named beita.renc inside the assets/components directory. The renaming had the effect of making it harder for users to know the file was responsible for executing code.
Later, app developers renamed the plugin to the more opaque icon-icomoon-gemini.renc and encrypted it using the Advanced Encryption Standard. The developers then obfuscated the decryption key within the code through a series of functions buried in a package named com.android.utils.hades.sdk. In later versions still, developers used a third-party library called StringFog, which used XOR- and base64-based encoding to hide every instance of the string "BeiTa" in the files.