Advertising is one of the primary methods to generate money from mobile devices. Ads can be displayed in the browser when you visit a specific website or can appear in free apps. In the case of mobile apps, the developer must select a theme that attracts many users to increase revenues. There is probably no better Internet theme than sex-related content.
According to CovenantEyes, one in five mobile searches is for pornography, so it is clear that creating adult-oriented apps or distributing them as adult content is one of the best options to attract users. Because these users are looking for adult content, it also makes sense to display sexually explicit ads. However, these kind of advertisements are not allowed in most popular ad networks. (AdWords, for example, prohibited sexually explicit content in March 2014.) Apps that contain or promote sexually explicit content are not allowed in official app stores such as Google Play.
How can these adult apps maximize app distribution and ad revenue on the user’s network without using the most popular ad networks and app stores? In the case of distribution, Intel Security Mobile Research recently found some apps that use social networks such as Twitter to post links pointing to an .apk file with a sex-related filename:
Popular adult sites can also appear in the filename of the .apk:
The downloaded app usually pretends to be a video app, using icons that sometimes belong to legitimate apps such as YouTube:
or a generic video app:
The functionality of these apps is pretty basic. As soon as it is executed, it will display a sexually explicit image and appear to load content. However, in the background the app is busy running a ping request to a remote server:
This is a way to obtain the external IP address of the user and the campaign ID needed to locate and deliver the ads:
In a similar way, the adware uses another server to test the Internet connection by requesting a specific HTML page:
Which will return “OKJA” if the connection is successful:
In addition to the connectivity checks, the app will load the “OfferURL,” its main purpose, to deliver ads by redirecting the request to a specific URL:
The data sent to the ad delivery URL contains:
- Device UUID: Unique device identifier.
- AppVer: Version of the app.
- TrafficSource: Distribution method of the app. In the preceding case, “Exo” stands for ExoClick, an online advertising company that allows sexually explicit content.
- CampaignID: The ad campaign’s unique identifier.
- Action: In the preceding case, LoadOffer gets ads as well as runs other actions without the user’s consent.
- HourSinceInstall: The app will report how much time has passed since its installation every time a request to the ad delivery URL is submitted.
- Flag: In the preceding case, Main is the primary behavior of the app; another flag reports secondary behavior.
- AdsCount: The number of ads that have been displayed to the user since the app’s installation.
- OriIP: External-facing IP address of the device.
- Connection: A connection log that contains the changes between wireless and mobile connections made by the app to change IP addresses and avoid being blocked by ad networks.
Next a redirection within the same server gets the real URL (ymtracking.com) to deliver the ads:
Finally, the URL with the ad is obtained from ymtracking:
Once the ad is delivered and the user clicks on or closes it, the app loads a popular porn site, just to exercise the video aspect. So far we have an app that displays adult ads when executed—but when the device starts or the phone state changes (for example, with an incoming call), the app sets a system alarm to execute additional instructions every 90 minutes. The first action is to check the unique device identifier with the remote server:
After that check, if the screen is on and the user is interacting with the device, the app will pop up additional adult ads but this time with user interactions such as “scroll” or “dosome”:
In the case of “scroll,” the adware will scroll to a specific position:
In the case of “dosome,” the app will simulate touch events:
In addition to this potential click-fraud behavior executing in the background, some apps have implemented persistence mechanisms such as asking for device admin privileges to make it difficult to remove the app:
Or downloading another .apk from a remote server if it is already not installed:
If the payload is already installed, the app will attempt to launch it:
The payload pretends to be a system service:
When the app runs, it broadcasts the android.settings.DEVICE_INFO_SETTINGS to display general device data while in the background starting a service to deliver adult ads in a certain amount of time.
These apps can also take a screenshot of the display if the loaded URL contains specific characters, probably as proof that the ad was loaded on the device:
The screenshot is later sent to a remote server:
Mobile advertising is a huge business. It can bring in a lot of revenue but it also needs a big installed base. For that reason, adware developers will continue to generate these kinds of apps that are not malicious per se because they are only displaying ads. But they include questionable persistence mechanisms, like asking for device admin privileges to “activate” an app or to download, install, and launch payloads from remote servers.
We recommend you install security software, and not trust applications downloaded from unknown sources. McAfee Mobile Security detects this threat as Android/Adware.RubMobo and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.