Threat Research

Android Adware Hidden Behind the Facade of Gaming Icons | SonicWall

CTI

SonicWall Capture Labs identified Android adware apps masquerading as popular game icons that hide from the app drawer, request elevated permissions, and continuously display ads while gathering device information. The malware fetches payloads and ad URLs (for example from hxxp://1downloadss0ftware[.]xyz), uses WebView and the default browser to present ads, and performs screen-capture and device-status checks. #SonicWall #1downloadss0ftware

Keypoints

  • Adware impersonates known gaming apps (free or paid) and removes its icon from the app drawer to avoid detection.
  • Malicious apps request high-risk permissions including INTERNET, SYSTEM_ALERT_WINDOW, FOREGROUND_SERVICE, RECEIVE_BOOT_COMPLETED, QUICKBOOT_POWERON, and SCHEDULE_EXACT_ALARM.
  • The apps fetch installer/ad URLs from embedded resource entries (example: hxxp://1downloadss0ftware[.]xyz/gogo/install) and load them into a WebView to serve ads.
  • Ads are also opened repeatedly in the device’s default browser, aligning multiple ad pages to generate clicks and impressions.
  • The malware uses createScreenCaptureIntent to initiate screen captures and registers listeners for screen on/off events to trigger actions.
  • Device information is collected and formatted via JSON for exfiltration or ad-targeting purposes.
  • Multiple SHA-256 file hashes and domains associated with the samples were identified and blocked by SonicWall Capture ATP w/RTDMI.

MITRE Techniques

  • None – The article does not explicitly reference any MITRE ATT&CK technique IDs or names.

Indicators of Compromise

  • [Domain] Ad/payload hosting and C2-like resource URLs – hxxp://1downloadss0ftware[.]xyz, hxxps://adsforapp1[.]com
  • [Domain] Ad distribution – hxxps://onetouch23[.]info – used as ad landing or redirect domains
  • [File hash – SHA256] Malicious APK samples – 6f24a2614dbbb4bcfd0422101ec9dbd8f2cc566500562a5191b24adf6b1cf7e0, 9ad72da43509fc05156f8ac8e2c107080e881ab9ec9e9bd6b97db4040bca380f, and 7 more hashes

The technical infection flow begins at installation: the malicious APK requests network and overlay-related permissions (INTERNET, SYSTEM_ALERT_WINDOW, FOREGROUND_SERVICE) plus autostart/boot permissions (RECEIVE_BOOT_COMPLETED, QUICKBOOT_POWERON, SCHEDULE_EXACT_ALARM). Immediately after launch the app disables or hides its launcher activity so its icon disappears from the app drawer, requiring users to view the app via Settings β†’ Apps. The sample includes a resource entry that contains a URL (for example hxxp://1downloadss0ftware[.]xyz/gogo/install) which it retrieves to load ad/content payloads.

Loaded URLs are injected into a WebView component and also opened repeatedly in the device’s default browser; this behavior lines up multiple ad pages to generate impressions and clicks. The app employs createScreenCaptureIntent to request screen capture and registers handlers for screen on/off events to time ad presentation or captures. Device profiling routines collect system information and package it into JSON structures for transmission to the remote ad servers or trackers.

Operationally, the malware keeps itself persistent via foreground services and boot receivers, uses overlay capability to influence user interactions, and centralizes ad delivery through fetched URLs and the default browser. Defenders should block the identified domains, detect apps requesting the listed permissions in combination with hidden launcher behavior, and use the provided SHA-256 hashes to identify and remove known samples.

Read more: https://blog.sonicwall.com/en-us/2024/03/android-adware-hidden-behind-the-facade-of-gaming-icons/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint