Google has removed more than 60 games from the Play Store after security firm Check Point discovered they were laced with malware and serving up porn ads. Check Point claims that the games were aimed at children, but Google says this was not the case.
The AdultSwine malware was found to be bundled in a number of games, many of which had been downloaded millions of times. As well as displaying pornographic ads, the malware also tried to trick users into installing fake security tools, and also encouraged people to register for expensive premium services.
AdultSwine's modus operandi is similar to other Android malware. Check Point explains that once an infected app is installed, the malicious code phones home to a command and control server for further instructions. This not only includes instructions on the types of ads to show -- and over which apps -- but also possibly hiding the app icon to make it slightly more difficult to remove.
Check Point explains:
It is interesting to note that the server however forbids ads to be displayed over certain apps such as browsers and social networks, in order to avoid suspicion.
The malicious code then verifies certain conditions regarding the device's status and checks which app is currently running on screen. Once all its terms are met, it begins to display the illegitimate ads outside of the app's context. If it is embedded inside a web browser app the ads will be displayed inside that browser, if not they will be displayed inside a designated web view.
As for the ads being displayed, they come from two main sources; the first is that of the main ad providers, which forbid such illegitimate display of their ads. The second is the malicious code’s own ad library, which contains ads of an offensive nature, including pornographic ads. All these are displayed to children while playing the game that the app is masquerading as.
The malware's secondary and tertiary tactics of pushing fake security apps and signing users up for premium rate services. While Google has removed the offending apps from the Play Store, Check Point says that the issue highlights the fact that more should be done to ensure app safety.
These plots continue to be effective even today, especially when they originate in apps downloaded from trusted sources such as Google Play.
The full list of infected apps can be found over on the Check Point website, along with a more detailed write-up about AdultSwine.