Micro Focus is now part of OpenText. Learn more >

You are here

You are here

238 Android apps infested with BeiTaPlugin adware: MDM anyone?

Richi Jennings Your humble blogwatcher, dba RJA

Google is asleep at the switch. Or at least, that’s the accusation from a report of hundreds of apps popping up ads all over people’s phones.

BeiTaPlugin, included in apps by CooTek/TouchPal, makes Android phones practically “unusable.” Ads pop up over other apps, on the lockscreen, and during phone calls—they even emit spooky audio messages while the screen is off.

And finding the app that’s triggering the ads is hard work for normies. In this week’s Security Blogwatch, we point fingers at Mountain View.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: HOWTO.

Get a grip, Google

What’s the craic? Curtis Franklin Jr. reports—Adware Hidden in Android Apps Downloaded More Than 440 Million Times:

Customers expect the apps they download from Google Play, Apple's App Store, and other officially sanctioned app repositories to be secure and have at least minimal respect for privacy. But … 238 applications in Google Play … hid BeiTaAd, a well-obfuscated ad plugin that could display ads on the device's lock screen, trigger video and audio advertisements even while the phone is asleep, and display ads outside the app that interfered with the user experience.

238 apps from a single publisher … contained adware that someone had gone to great lengths to hide. … Someone used very sophisticated techniques to obfuscate the adware executable. … The publisher, CooTek, is known for legitimate Android apps and is listed on the NYSE.

All affected apps [have] been either removed from Google Play or updated to versions that do not contain BeiTaAd.

Yikes. Roland Moore-Colyer adds—Adverts get squirted all over Android users' lock screens:

Guess what? More adware has sneaked past the automated security of Google's Play Store.

This is hardly the most malicious use of adware, but it would likely drive some Android users mad. … One way the adware hides is by not firing up adverts once an infected app is installed, but rather it waits at least 24 hours after the app is launched before cranking out ads.

The whole situation highlights that Google still has work to do to keep its Play Store free of digital nasties, though we guess that's part and parcel of having an open software ecosystem.

Who discovered it? Lookout’s Kristina Balaam—@chmodxx:

[The] BeiTaPlugin adware … renders a mobile device nearly unusable. … Users have reported being unable to answer calls or interact with other apps, due to the persistent and pervasive nature of the ads displayed.

All of the apps … were published by mobile internet company, CooTek, founded in 2008 in Shanghai. [It] is best known for its popular keyboard app, TouchPal. The BeiTaPlugin package, com.cootek.beita.plugin, is unsurprisingly bundled within TouchPal as well as numerous add-ons to their popular TouchPal keyboard, and several very popular health and fitness apps.

While the vast majority of free mobile applications monetize their apps through Ad SDKs or plugins, the persistence of the advertisements in this particular family, and the lengths to which the developer went to hide its existence, make the BeiTaPlugin concerning. [It] is renamed to the innocuous, icon-icomoon-gemini.renc, and is encrypted. … Malware authors commonly employ this technique of renaming executable files … to hide malicious assets in plain sight.

Wait. Pause. I thought Google had cracked down on these shenanigans? Andy Meek writes Once again, Google Play Store apps … are wreaking havoc:

Google has made headlines in recent months, both here and elsewhere, for its crackdown on malicious apps in its proprietary app marketplace, as well as on apps that cross all kinds of lines. … Unfortunately, we have to again report a similar turn of events.

All of which serves, of course, as yet another reminder (as if one was needed) that abuse of Google’s app marketplace remains an ongoing problem thanks to developers who continue finding ways to sneak past Google’s ability to police its store.

Why can’t Google get ahead of this problem? Here’s A_Very_Tired_Geek:

It's not that Google lacks the motivation. They lack the ability.

Google is playing a whack-a-mole game with malicious and/or abusive developers. This problem isn't limited to Google either. Apple and Microsoft both have similar problems with gating in bad applications to their stores.

What a lot of the general public and even the tech press seem to be unaware of is that a defense must … be perfect at all times in all ways against a determined attacker. The attacker only needs to get its shot in once. Until that paradigm changes … episodes like this will always occur.

So a sweary Jim Z writes:

I don't get why they do this **** at all, this can't be an effective way to advertise? "Hey, maybe I'll buy something from this thing which just royally ****ed up my phone," said no one ever.

Not even Stephen Phillips, who offers his experience:

I have a Samsung Galaxy Note 8. … It was putting ads up and I found it very hard to … get to my apps and stuff.

I clicked the lower left button that shows me all the apps that are open on my phone and allows me to close them. I first looked for BeiTa in my apps and couldn't find it. So I took a closer look at in in my running apps and noticed the app pic had 3 … with a rectangle around [it].

So I looked at my apps again and found a messenger that one of my apps had me install on the side. I removed it and my phone’s back to normal with no ads popping up.

And so does GILKau:

I too found that my battery was depleting very quickly, nuisance ads were being served frequently prior to doing the pattern login, but I couldn't find the app: "Smart Scan -QR & Barcode Scanner Free."

It seems that this bad behaviour started occurring after a recent auto-update of that app, which I discovered listed on MyApps/updates, I clicked on it and was able to uninstall from there. So far it seems that BeiTa Plugin has vanished and also the annoying ads.

But Amy Aleman is angst-ridden:

Pretty unhappy right now. I bought premium so I can get rid of the disgusting ads, yet I STILL GET THEM.

One of them is horrifying … there’s just clapping sounds followed by a gong and it continues whether I turn off my phone screen. Not fun.

Meanwhile, greenleaves eats and shoots: [You’re fired—Ed.]

I'm only using apps from Google, Huawei & NSA. No ads so far, fingers crossed.

The moral of the story?

For app devs: Don't be tempted to follow suit. And if you’re using a third-party ad framework SDK, make sure it’s not using these sort of obnoxious practices.
For enterprise IT: Got MDM?

And finally

Kristina Balaam demos how she does this sort of thing

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Keep learning

Read more articles about: SecurityInformation Security