A new and insidious type of adware, dubbed “Skinner”, has been found on Google Play. It’s smart enough to target users with personalized fake ads.
The malware, uncovered by Check Point researchers, was embedded inside an app which provides game related features. It was downloaded by over 10,000 users, and managed to hide on Google Play for over two months.
“Skinner displayed new elaborate tactics used to evade detection and maximize the profits by targeting users with specifically-tailored advertising, to boost click-fraud revenues for the people behind the malware with unprecedented precision,” the researchers said in a blog.
Skinner tracks the user’s location and actions, and can execute code from its Command and Control server without the user’s permission. It also uses an advanced logic to display illegitimate ads to the user, without raising his suspicion, and raise the probability he will click on them. Instead of simply displaying any ad, the malware checks which type of app the user is using at a given moment and displays a suitable ad.
This is a completely new behavior for a mobile adware, according to Check Point.
“Until now, only banker-overlay malware displayed such activity,” the researchers said. “This sort of tailored ‘marketing’ is likely to drastically increase the malware’s success rate. The four app categories are navigation apps, caller apps, utility apps and browser apps.”
In addition to being unique, it also means that while most adware relies on mass spread to generate large profits, Skinner could potentially infect fewer users to generate the same amount of revenues, but minimize the risk of being caught.
“The smaller the spread of a malware is, the fewer chances it will raise any alarms and undergo security inspections,” the researchers said. “We believe this sort of tactic will be adopted and perfected by other adware in the near future.”
The app was removed from the Play store after Check Point researchers contacted the Google security team. But it is unlikely to be the last in the official store. Previous adware variants that were found on Google Play include Viking Horde, DressCode and CallJam.