BeiTaAd is a well-obfuscated advertising plugin hidden within a number of popular applications in Google Play. The plugin forcibly displays ads on the user’s lock screen, triggers video and audio advertisements even while the phone is asleep, and displays out-of-app ads that interfere with a user’s interaction with other applications on their device.
Lookout has discovered 238 unique applications that include BeiTaPlugin, adware that renders a mobile device nearly unusable, in the Google Play Store. Lookout reported the malicious functionality to Google and the BeiTaPlugin has now been removed from all the affected apps on the Play store. Cumulatively, these applications amount to over 440 million installations, making this family unique in its prevalence and the level of obfuscation used to hide the plugin’s existence.
While the vast majority of free mobile applications monetize their apps through Ad SDKs or plugins, the persistence of the advertisements in this particular family and the lengths to which the developer went to hide its existence make the BeiTaPlugin concerning.
All of the apps released with BeitaPlugin were published by mobile internet company, CooTek, founded in 2008 in Shanghai. CooTek became listed on the NYSE in 2018 and is best known for its popular keyboard app, TouchPal. The BeiTaPlugin package, com.cootek.beita.plugin, is unsurprisingly bundled within TouchPal as well as numerous add-ons to their popular TouchPal keyboard, and several very popular health and fitness apps.
While out-of-app ads are not particularly novel, those served by this plugin render the phones nearly unusable. Users have reported being unable to answer calls or interact with other apps, due to the persistent and pervasive nature of the ads displayed. These ads do not immediately bombard the user once the offending application is installed, but become visible at least 24 hours after the application is launched. For example, obtrusive ads did not present themselves until two weeks after the application, Smart Scan (com.qrcode.barcode.reader.scanner.free), had been launched on a Lookout test device.
Users have documented similar experiences on an Android forum discussion spanning several months, as well as in reviews left on the applications’ Google Play pages.
The BeiTa plugin has been refactored several times since its initial release in early 2018. Earlier versions of applications that include the BeiTa plugin do so as an unencrypted dex file, beita.rec, within the assets/components directory of the package.
In more recent iterations, the BeiTa plugin is renamed to the innocuous, icon-icomoon-gemini.renc, and is encrypted using Advanced Encryption Standard (AES). Icomoon is an application that provides vector icon packs for designer and developer use. One Icomoon-compatible icon pack is named Gemini. Malware authors commonly employ this technique of renaming executable files to other file types (pdf, jpg, txt) to hide malicious assets in plain sight.
In both cases the .rec or .renc filetype suffix is intentionally misleading; the file is actually .dex (Dalvik Executable) file type that contains executable code rather than an innocuous .renc file.
The package name is also changed in more recent BeiTa versions, from com.cootek.beita.plugin to com.mobutils.android.beita.plugin.
The AES encryption key is obfuscated through a series of connected methods, and finally called for use by a package named “Hades SDK” through the method, com.android.utils.hades.sdk::getEncryptedKey().
In later versions of the application, increased encryption and obfuscation techniques are applied to hide the plugin's existence. All strings related to plugin activity are XOR encrypted and Base64-encoded courtesy of a third-party library called StringFog. Each class that facilitates the loading of the plugin is encrypted with its own separate key. The com.android.utils.hades.sdk package, for example, is decrypted using the string “Yaxiang Robin High”.
When the application is launched, the Hades SDK is initialized by a subclass defined in the manifest:
<application android:allowBackup="true" android:icon="@mipmap/ic_launcher" android:label="@string/app_name" android:name="com.scanner.QrcApplication" android:roundIcon="@mipmap/ic_launcher" android:supportsRtl="true" android:theme="@style/AppTheme">
Once the Hades SDK is initialized, it is responsible for retrieving the asset path where the plugin is located, configuring the plugin to be loaded by a subsequent Plugin framework and for much of the interaction between the plugin and additional ad libraries once loaded.
It performs checks for whether the plugin has been decrypted, loaded, specifies the output source for the .jar files generated, sets alarms to trigger ad-related intents, and specifies spaces for the ads to appear (see: public int lockScreen() method declaration).
Once decrypted, the BeiTa dex file is stored on the device at /data/user/0/<package_name>/app_p_od. It is then packaged into a JAR file by a popular Android Plugin framework (Qihoo360’s Replugin library), is stored at /data/user/0/<package_name>/app_p_a and finally loaded onto the device using the Qihoo360.Replugin DexClassLoader.
The loaded plugin is never installed to the device. Therefore, it is not listed as an installed package nor is it possible to simply uninstall the plugin without uninstalling the carrier application.
However, because the ad activities are triggered within the BeiTa plugin package, it is possible to see that it is the BeiTa plugin triggering the ads.
This BeiTaAd plugin family provides insight into future development of mobile adware. As official app stores continue to increase restrictions on out-of-app advertisements, we are likely to see other developers employ similar techniques to avoid detection.
As of May 23rd, 2019, the 230+ affected applications on Google Play have either been removed or updated to versions without the BeiTa Plugin. Lookout customers are protected from this threat, and users with any of the following affected packages are advised to update their application to its most recent version.
September 19, 2023
Google released a patch for a new zero-day vulnerability in Chrome tracked as CVE-2023-4863, which CISA also listed in their database.
September 18, 2023
September 20, 2023