Check Point, a security research team, discovered this week that more than 200 apps on the Google Play store were spreading SimBad adware before they were removed. The apps contained malicious code buried inside a software development kit (SDK) and were downloaded almost 150 million times globally.
The adware was dubbed SimBad because it affected mostly simulator games, like Snow Heavy Excavator Simulator, Ambulance Rescue Driving, and Fire Truck Emergency Driver. A full list of the infected apps can be viewed here.
The researchers said the Android apps in question were capable of phishing, showing ads, and exposing users to other malicious applications.
Google pulled the apps from its Play Store after being notified by Check Point. However, the security company noted that SimBad “already has the infrastructure to evolve into a much greater threat.”
Vulnerable to ad fraud
Problematic apps have been able to infiltrate Google’s Play Store more easily than Apple’s App Store because Google’s review process is less stringent.
Google has said that it’s continuing to make improvements in its ability to keep bad apps out of its Play store. Last month, the company said it had fixed vulnerabilities in more than 75,000 apps in 2018, up 70 percent from 2016. The tech giant said it was able to remove 99 percent of harmful apps before they had been installed.
“We have this fantastic technology and it works 99.99994 percent of the time. But it’s never perfect,” Google VP and Head of Security for Google Play Dave Kleidermacher told TechCrunch.
Google said it takes instances of bad apps and malicious developers “extremely seriously, and will continue to innovate our capabilities to better detect and protect against abusive apps and the malicious actors behind them.”
In a separate report released Wednesday, Check Point noted that adware can often be hidden in the SDK. The firm said it found that an SDK hidden on 12 apps has been stealing contact information from up to 111 million devices in China.
"Before integrating SDKs into their mobile applications, developers need to be aware of potential risks of undocumented and malicious behaviors implemented in third party SDKs," Check Point said.