Lookout Security Intelligence Team's Discovery of BeiTaAd RTD

Key facts

• Unique in prevalence and level of obfuscation used to hide existence

• Works by decrypting hidden file in the app to load and save the plugin

• Never installed to the device and cannot be uninstalled without removing the infected application

‍

Background and discovery timeline

In late 2018, Lookout researchers discovered a well-obfuscated advertising plugin hidden within a number of popular applications in Google Play. The plugin forcibly displays ads on the user’s lock screen, triggers video and audio advertisements even while the phone is asleep, and displays out-of-app ads that interfere with a user’s interaction with other applications on their device. In total, researchers discovered 307 unique applications that include BeiTaAd, with over 440 million cumulative installations.

‍

Capabilities and affected parties

This plugin renders phones nearly unusable. The ads do not immediately bombard the user, but become visible about 24 hours after the application is launched, some waiting as long as two weeks after being launched. The plugin has been refactored several times since its initial release in 2018, however the new iterations consist of an AES encrypted dex file disguised as a benign .renc file. Encryption and obfuscation techniques evolved over time to hide the plugin, with strings related to its activity eventually being XOR encrypted and Base64- encoded. When the application is launched, an SDK is initialized that retrieves the asset path where BeiTaAd is located, and checks whether it has been decrypted and loaded before storing it on the device. BeiTaAd is never actually installed on the device, so it cannot be removed without uninstalling the main application that the user initially downloaded. As of May 23^rd, 2019, the 230+ affected applications on Google Play have either been removed or updated to versions without the BeiTaAd Plugin.