{"id":14963,"date":"2019-03-29T08:10:09","date_gmt":"2019-03-29T16:10:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/03\/29\/news-8712\/"},"modified":"2019-03-29T08:10:09","modified_gmt":"2019-03-29T16:10:09","slug":"news-8712","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/03\/29\/news-8712\/","title":{"rendered":"Awakening the beast: BatMobi adware"},"content":{"rendered":"

Credit to Author: Nathan| Date: Fri, 29 Mar 2019 15:00:00 +0000<\/strong><\/p>\n

On February 12, a patron of the Malwarebytes Forum<\/a> alerted us of an issue with ad redirects that seemed to come out of nowhere. An outcry from other commenters filled the forum thread, all experiencing the same redirects to the same exact websites. Our web protection team traced the offending websites back to the culprit\u2014the adware known as BatMobi.<\/p>\n

What is BatMobi?<\/h3>\n

BatMobi is an Advertisement Software Development Kit (Ad SDK), which is essentially a software library that connects applications to ad networks. Developers insert Ad SDKs into their apps’ code to gain revenue through ads. Thus, they can offer their apps for free and still make money. Most variants of BatMobi were clean and safe to use\u2014until recently.<\/p>\n

Based on a Reddit post about the sudden web redirects on January 21, it appears these “clean” versions of BatMobi turned into mobile adware around mid January. Adware is a subcategory of Potentially Unwanted Programs (PUPs)<\/a>, which means it hangs around the fringes of bad behavior and often results in poor user experiences. Furthermore, BatMobi has always had a slightly more aggressive version we consider low-level adware. We detect this as Android\/Adware.BatMobi<\/a>.<\/p>\n

Triggered by Google Play<\/h3>\n

An interesting component of this newly seen BatMobi variant is the location in which it was popping up ads\u2014Google Play. Forum patrons verified the ads were popping up whenever an app was updating or installing in Google Play. BatMobi is using\u00a0Chrome Custom Tabs<\/a>\u00a0within its code to open websites in Google Play whenever it was triggered by these events. Although the websites being redirected to are relatively safe sites, they are an unwanted nuisance for the user\u2014exactly what we consider adware.<\/p>\n

\"\"<\/p>\n

Tracking down the beast<\/h3>\n

Usually, pinpointing the source of an adware app on a customer’s device is simple, especially when knowing the adware variant, as in this case. Thanks to all the great Malwarebytes forum participants, I had a large set of data to work with in the form of what we call Apps Reports.<\/p>\n

This is a list of apps along with data about their MD5, package name, and other components to assist tracking down infections. Even with all the data, finding BatMobi was a nightmare: It hides deep within an app’s code, in different apps on each user’s device, and no other mobile anti-malware vendors detect it. Nevertheless, I was able to make some headway and find a couple of patterns of infection. Here were my findings.<\/p>\n

Uptodown<\/h4>\n

The search started with the third-party app store Uptodown. More specifically, apps that download videos from YouTube, such as\u00a0Videoder, Video Downloader, Snaptube, and TubeMate were delivering ads to users the most.\u00a0These apps all come with hidden versions of BatMobi.\u00a0 Removing these apps solved the issue for many, but still it persisted for others.<\/p>\n

Click to view slideshow.<\/a> <\/p>\n

Mi Mobile<\/h4>\n

Another component that further complicates detecting and removing BatMobi is that we found it on apps pre-installed<\/a> on Mi Mobile devices\u2014specifically,\u00a0the Xiaomi Redmi Note 5. The infected apps are as listed:<\/p>\n

Package name: com.mi.android.globalpersonalassistant <\/em>
App name: App vault\u00a0<\/em><\/p>\n

Package name: com.android.providers.downloads.ui \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/em>
App name: Downloads<\/em><\/p>\n

Please note that not all versions of these apps have BatMobi nor do all Xiaomi Redmi Note 5 devices\u2014only a select few.\u00a0 Detections are in place in Malwarebytes for Android<\/a> to alert users of its presence.<\/p>\n

If you are having issues with adware on pre-installed apps, you can follow our removal instructions for disabling or uninstalling<\/a>.<\/p>\n

Warning:<\/strong>\u00a0Make sure to read\u00a0Restoring apps onto the device (without factory reset)\u00a0<\/strong>in the rare case you need to revert\/restore apps.<\/p>\n

Use this\/these command(s) during step 7 under\u00a0Uninstalling Adups via ADB command line\u00a0<\/strong>to remove:<\/p>\n

adb shell pm uninstall -k –user 0 com.mi.android.globalpersonalassistant
adb shell pm uninstall -k –user 0\u00a0com.android.providers.downloads.ui<\/em><\/p>\n

\"\"<\/p>\n

Still unknowns<\/h4>\n

Even after finding two dominant sources of the Batmobi infection, there are still cases left unsolved. You see, as suddenly as the ads appeared, they abruptly stopped in early March.\u00a0 Without active cases to see if removing apps will remediate or not, finding these deeply hidden BatMobi variants has become nearly impossible. I\u2019m confident that there are versions still on Google Play, but finding them now is searching for a needle in millions of haystacks.<\/p>\n

The scary reality of Ad SDKs<\/h3>\n

Technically, since these hidden BatMobi variants no longer trigger ads inappropriately, they are no longer considered adware. I suppose that’s the good news. My assumption is that BatMobi made a change on their servers without warning, thus triggering the ads in January. But we don’t know why there was an abrupt stop in March. What happened? Maybe an overwhelming amount of complaints to BatMobi caused a change of heart?<\/p>\n

This all leaves us with an uneasy feeling about Ad SDKs. It highlights their power to switch from clean and safe to adware overnight. It’s a scary reality to have code lay dormant in legitimate apps that can turn malicious so quickly. I reiterate that yes, these website redirects were to relatively safe sites, but the potential for worse is present.<\/p>\n

Developers beware<\/h3>\n

The last thing a developer wants is for their app to be on an anti-malware scanner’s adware list without warning. In the past, we have seen ad companies clearly move from legitimate to serving adware, becoming overly aggressive with data collection and\/or aggressively pushing ad content, as in the case above. However, in those cases it was easy to make a clear cut distinction of the cause of infection. This time, its much more unclear which components were causing the issue, and so much is still left unknown.<\/p>\n

Unfortunately, finding an Ad SDK that developers can trust is an ongoing challenge. All we can say is do your research and choose wisely. If an Ad SDK has any variants that are considered adware, as with BatMobi, it\u2019s a wise decision to stay clear.<\/p>\n

Stay safe out there!<\/p>\n

The post Awakening the beast: BatMobi adware<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Nathan| Date: Fri, 29 Mar 2019 15:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
BatMobi is an Advertisement Software Developer Kit (Ad SDK) that was once clean and safe to use, but suddenly began serving adware in January. Learn more about this elusive threat, including how to clean it off pre-installed apps on mobile devices.<\/p>\n

Categories: <\/p>\n