Lookout Security Intelligence Team's Discovery of BeiTaAd RTD
How Lookout detects and protects against threats like BeiTaAd
In the case of BeiTaAd, the investigation of several applications that were seen displaying full screen ads on the home screen allowed Lookout researchers to uncover the breadth of this plugin and the obfuscation efforts put in over time to keep it hidden. Since starting to detect and alert to BeiTaAd, Lookout has protected hundreds of thousands of devices from the adware. This plugin family provides insight into the future development of mobile adware, and it is likely we’ll see other developers attempt to use similar techniques to avoid detection.
Key facts
- Unique in prevalence and level of obfuscation used to hide existence
- Works by decrypting hidden file in the app to load and save the plugin
- Never installed to the device and cannot be uninstalled without removing the infected application
Background and discovery timeline
In late 2018, Lookout researchers discovered a well-obfuscated advertising plugin hidden within a number of popular applications in Google Play. The plugin forcibly displays ads on the user’s lock screen, triggers video and audio advertisements even while the phone is asleep, and displays out-of-app ads that interfere with a user’s interaction with other applications on their device. In total, researchers discovered 307 unique applications that include BeiTaAd, with over 440 million cumulative installations.
Capabilities and affected parties
This plugin renders phones nearly unusable. The ads do not immediately bombard the user, but become visible about 24 hours after the application is launched, some waiting as long as two weeks after being launched. The plugin has been refactored several times since its initial release in 2018, however the new iterations consist of an AES encrypted dex file disguised as a benign .renc file. Encryption and obfuscation techniques evolved over time to hide the plugin, with strings related to its activity eventually being XOR encrypted and Base64- encoded. When the application is launched, an SDK is initialized that retrieves the asset path where BeiTaAd is located, and checks whether it has been decrypted and loaded before storing it on the device. BeiTaAd is never actually installed on the device, so it cannot be removed without uninstalling the main application that the user initially downloaded. As of May 23rd, 2019, the 230+ affected applications on Google Play have either been removed or updated to versions without the BeiTaAd Plugin.
Authors
Lookout
Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.
.png)
