June 13, 2019

Lookout Security Intelligence Team's Discovery of BeiTaAd RTD

How Lookout detects and protects against threats like BeiTaAd

In the case of BeiTaAd, the investigation of several applications that were seen displaying full screen ads on the home screen allowed Lookout researchers to uncover the breadth of this plugin and the obfuscation efforts put in over time to keep it hidden. Since starting to detect and alert to BeiTaAd, Lookout has protected hundreds of thousands of devices from the adware. This plugin family provides insight into the future development of mobile adware, and it is likely we’ll see other developers attempt to use similar techniques to avoid detection.

Key facts

  • Unique in prevalence and level of obfuscation used to hide existence
  • Works by decrypting hidden file in the app to load and save the plugin
  • Never installed to the device and cannot be uninstalled without removing the infected application

Background and discovery timeline

In late 2018, Lookout researchers discovered a well-obfuscated advertising plugin hidden within a number of popular applications in Google Play. The plugin forcibly displays ads on the user’s lock screen, triggers video and audio advertisements even while the phone is asleep, and displays out-of-app ads that interfere with a user’s interaction with other applications on their device. In total, researchers discovered 307 unique applications that include BeiTaAd, with over 440 million cumulative installations.

Capabilities and affected parties

This plugin renders phones nearly unusable. The ads do not immediately bombard the user, but become visible about 24 hours after the application is launched, some waiting as long as two weeks after being launched. The plugin has been refactored several times since its initial release in 2018, however the new iterations consist of an AES encrypted dex file disguised as a benign .renc file. Encryption and obfuscation techniques evolved over time to hide the plugin, with strings related to its activity eventually being XOR encrypted and Base64- encoded. When the application is launched, an SDK is initialized that retrieves the asset path where BeiTaAd is located, and checks whether it has been decrypted and loaded before storing it on the device. BeiTaAd is never actually installed on the device, so it cannot be removed without uninstalling the main application that the user initially downloaded. As of May 23rd, 2019, the 230+ affected applications on Google Play have either been removed or updated to versions without the BeiTaAd Plugin.

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Discovered By
Lookout
Entry Type
Threat Guidances
Platform(s) Affected
Android
Threat Type
Malware
Platform(s) Affected
Lookout
Threat Guidances
Android
Malware

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell