Intrusive BeiTaAd adware found in 238 Play Store apps
Threats / BeiTaAd adware that renders smartphones unusable found in 238 Play Store apps
6 June 2019
BeiTaAd, a highly-intrusive adware plugin that displayed advertisements on smartphone lock screens and triggered video and audio advertisements even while the phone was asleep, was discovered in as many as 238 unique applications on the Google Play Store.
The 238 applications on the Google Play Store that feature BeiTaAd plugin enjoyed over 440 million installations and were published by CooTek, a Shanghai-based mobile internet company that recently got listed on NYSE.
The most popular among these apps is the TouchPal keyboard app that has been downloaded over a hundred millions times on the Google Play Store. Apps published by CooTek also include a number of very popular health and fitness apps that have been downloaded by millions of Android device users as well.
According to security researchers at Lookout, the BeiTaAd plugin was first introduced in 2018, is encrypted using Advanced Encryption Standard (AES), and piggybacks on popular Android apps published by CooTek on the Google Play Store.
It is difficult for the lay user to detect BeiTaAd as it is never installed in the device and is not listed as an installed package. For the same reason, a user cannot get rid of the plugin until the user uninstalls the entire application from his/her device.
BeiTaAd persistently played ads on smartphones & couldn’t be removed
While it is common practice for app developers to include Ad SDKs or plugins to monetise their free applications, what’s concerning about BeiTaAd plugin is that the way it pushes advertisements in smartphones makes it extremely difficult for the user to use his/her device effectively.
“While out-of-app ads are not particularly novel, those served by this plugin render the phones nearly unusable. Users have reported being unable to answer calls or interact with other apps, due to the persistent and pervasive nature of the ads displayed,” noted researchers at Lookout.
“These ads do not immediately bombard the user once the offending application is installed, but become visible at least 24 hours after the application is launched,” they added, stating that the plugin forcibly displays ads on the user’s lock screen, triggers video and audio advertisements even while the phone is asleep, and displays out-of-app ads that interfere with a user’s interaction with other applications on their device.
All the 238 applications that featured BeiTaAd plugin were either removed or updated to versions without the plugin after Lookout informed Google about the presence of the plugin and the impact it had on the usability of Android devices. However, the researchers believe that many more app developers will use advanced techniques such as AES encryption to avoid the detection of similar plugins that violate Google’s policies.
Back in 2017, a security researcher @SwiftOnSecurity discovered the presence of adware that masqueraded as the official AdBlock Plus extension and bypassed Google’s Chrome extension-vetting policy to install itself in devices owned by 37,000 Chrome users.
The fake AdBlock Plus extension didn’t block any ads but in fact, opened new tabs to show ads to users. The same was observed by many Chrome users who reported the extension’s abnormal behaviour on the extension’s review page.
The malicious extension was possibly able to bypass Google’s Chrome extension-vetting process because extensions are only looked into by Google’s security teams when they are reported by users or other concerned researchers. After SwiftOnSecurity unmasked the fake AdBlock Plus extension, Google removed it from its extensions store.