Secure 2024: Forrester Wave™ Q2 2022 Showcases Leading Bot Management Solutions
HUMAN Blog

Another Day, Another Fraudulent App

It’s not news that there are quite a few malicious apps in the Google Play Store, and it seems that new problematic apps are listed there every week. White Ops’ Threat Intelligence team recently identified one such app, Crazy Brainstorming, using our bot detection platform. What follows is a deep-dive analysis of the app’s operation, uncovering both fraudulent and malicious activity.

 

How Crazy is It?

 

Crazy Brainstorming (com.crazy.brain.storming) is an Android “Games” app that was available in the Google Play Store from January to March of 2019. During that short time, there were more than 1M downloads, primarily in the United States.

The app’s developer is “Linda Wang,” and Crazy Brainstorming was one of multiple apps that were available on the Google Play Store. As of this writing, no apps developed by Linda Wang are available.

null

Screenshot from www.appsignals.com
Source: White Ops Threat Intelligence

 

The Brains Behind it All: Tushu SDK

 

The ad fraud we observed in Crazy Brainstorming was primarily associated with the Tushu Software Development Kit (SDK). Strings in the code suggest that the SDK was developed by 1tu1shu[.]com. The China-based company is self-described as a “Data Driven Intelligent Marketing” firm.

null

1tu1shu Website Homepage
Source: White Ops Threat Intelligence

The Tushu SDK can display full-screen ads out of the application’s context: ads appear even though the app is not running in the foreground, allowing it to monetize even while the user is trying to interact with another app. This type of invalid traffic, similar to pop-ups or pop-unders in desktop browsers, is called Manipulated Behavior.

Through a static analysis of the source code, we’ve determined that the Tushu SDK is capable of delivering ads while the screen is off. We did not observe this behavior when we ran the app during dynamic analysis, but the capability exists in the code of the SDK.

The SDK provides the capability to load ads from a few different advertising frameworks, however, in our analysis, the advertisements were sourced from the H5 Games domain. Clicking on the ad leads the user to the website located at nx.h5games[.]top.

null

Code Associated with Full-screen Ad Firing on Bluetooth State Change
Source: White Ops Threat Intelligence

The above code is one of several mechanisms used to trigger ads while the app is running in the background. Ads are also triggered by network changes, such as disconnecting or connecting to a WiFi network, unlocking the device, or connecting the device to a charger. To remain even more inconspicuous, the SDK developers have a parameter controlled by their servers to specify minimum time between ads.

The Tushu SDK hides the parent application on the device, but it is still able to run and display out-of-context advertisements while hidden.

Our team has identified 74 apps containing the Tushu SDK, none of which are still available in the Google Play Store.

 

How it Worked

 

The Crazy Brainstorming app presents itself as a brain teaser puzzle game. However, shortly after the first time the app is loaded, it acts as a dropper for a web browser shortcut to nx.h5games[.]top. After dropping the “Game Center” shortcut on the home screen, the Crazy Brainstorming app removes itself from the home screen and app portfolio, the two places users would most likely look to remove it. After this point, the only way to remove it is via the “Apps” section under the device “Settings” menu.

null

Depiction of Simulated App “Game Center” Shortcut
Source: White Ops Threat Intelligence

 

null

Code Associated with Installation of the Game Center Shortcut
Source: White Ops Threat Intelligence

The Game Center activity was recently reported on by the threat intelligence team at Avast, where they noted the installation in some of the apps that they were analyzing.

 

The Domain Behind the Game

 

The H5 Games domain features a number of online games that are largely unplayable from a user perspective. The website includes advertisements that, when clicked, will take the user directly to the advertiser’s site in the same window instead of opening a pop-up, new tab, or window.

Most of the advertisements on the website link to the installation of a browser extension or the download of a Windows executable. All files and domains we checked had associations with known malware.

WinZip

WinZip Driver Updater advertisement
Source: White Ops Threat Intelligence

 

null

Doc2PDF installation and associated warning regarding permissions
Source: White Ops Threat Intelligence

 

Will the Real Game Please Stand Up?

 

There are multiple references in the Crazy Brainstorming source code to another Android app, Skillz - Logic Brain Games, net.rention.mind.skillz. When checking the similarities between the files in the two main directories, we discovered that approximately 70% of the over 200,000 lines of decompiled code were an exact match. It would appear that Skillz is a victim of code reuse and likely has no knowledge of this activity.

White Ops Threat Intelligence recommends removal of any apps from the developer, “Linda Wang,” as well as those including the Tushu SDK. We also recommend avoiding the H5 gaming site. Google has removed all of the apps noted following our investigation.

We’ll remain on the lookout for malicious apps and fraud. Want to stay in touch with the White Ops Threat Intelligence team? Subscribe to the White Ops newsletter and never miss an update. Read our compromise indicators below to learn what to keep an eye out for.


Indicators of Compromise (IoC)

App Name: Crazy BrainStorming
Package Name: com.crazy.brain.storming
MD5: 8486f6e3c26f68d2ecb9bce58ba2d4e9
SHA256: 21ad3f2ede1056327769ee4b21ee1c0ecfd426f65c715d8eb9d071bbf2af07af

Domains
tusumobi[.]com
nx[.]h5games[.]top
adtiming[.]com
h5game[.]center

App Packages Using Tushu SDK

(Note: some of the apps listed below may share names with other popular apps. This may be indicative of bad actors using popular app names to gain entry into app store marketplaces.)

app.arouse
com.aardingw.chess.queen
com.amme.drawing.line.one
com.background.cutout.photo.editor.reaser
com.beauty.picture.adnil
com.chess.battle.online
com.collage.photo.cut.out
com.color.flash.LED.call
com.cutout.plus.cdts
com.dots.connect.drawing.game
com.dots.line.number.color.drawing
com.draw.line.puzzle.game
com.easy.pics.cut.out
com.fancy.photo.blur.editor
com.find.difference.picture.smartbrain
com.flashlight.brightest.led.light
com.gg.blur.mosaic.eraser
com.god.blur.mosaic.eraser
com.god.brain.logic.war
com.god.photo.blur.editor
com.grigor.dots.drawing.art
com.image.cut.pro
com.image.cut.scissors
com.image.cutter.pro.editor
com.image.watermark.creator
com.images.match.memorygame
com.jkgzwxru.one.line.drawing
com.kazan.cube.blast.crush
com.line.cross.puzzle.brain.mind
com.longteng.powerful.booster.phone.cleaner
com.magic.photo.cutout
com.manito.aaa.bbb
com.manito.ads.sdk
com.music.player.hot.free
com.omni.photo.background.cut
com.one.line.connect.xin
com.one.stroke.puzzle.game
com.one.touch.draw.line
com.panc.chess.king
com.panc.solitaire
com.particle.sand.box
com.photo.background.blur.editor
com.photo.background.cut
com.photo.cut.out.studio
com.picsart.photo.editor
com.picsplay.image.lab
com.picsplay.producer.editor
com.pictrace.image.color
com.pictrace.plus.ts
com.pictrace.pro.photo.editor
com.pictrace.studio.yuanting
com.piczoo.photo.editor.chen
com.power.photo.cut.background
com.pretty.studio.photo.blur
 com.pro.piczoo.photo
com.puzzle.game.wonder.brain
com.selfie.image.blur
com.selfie.photo.blur.camera
com.shuangq0929.fun.checkers
com.simple.picture.cut.out
com.simple.watermark.camera
com.smart.brain.logic.war
com.special.blur.mosaic.eraser
com.surprise.random.magicbox
com.tushu.ads.sdk
com.watermark.free.camera.lin
com.watermark.plus.ts
com.watermark.zooms.camera
com.wd.photo.camera.editor.blur
com.wind.pics.blur.editor
jelly.pop.mania
kazan.connect.dots.drawing.artwork
oceansmobi.super.minesweeper
steptracker.stepcounter.calorieburner.move