An Android app component designed to provide inter-user chatting capabilities was found to be opening websites and clicking on ads in Android devices’ background. This malicious component, according to a report released last week, is part of a software development kit or SDK offered by a Chinese company is known as呀呀云 (Ya Ya Yun).
A lot of Android app developers use the software development kit of Ya Ya Yun in adding an instant messaging feature to the games that they create. Meaning to say, Android games use the SDK for chat purposes and will free up developers to cater to other features of the game. This kind of design practice of using an SDK to offload many app features to remote services is actually dangerous as it provides access to a remote company which can take control over the app.
So for the Android game developers who selected the Ya Ya Yun SDK, it was a definitely a mistake they shouldn’t make again. According to a Russian antivirus vendor Dr. Web, their mobile security researchers were able to spot the apps that contain this SDK on the official Google Play Store. As it turns out, these apps were also downloading other components that are hidden inside benign images according to Dr. Web.
The Ya Ya Yun SDK was caught downloading these benign images, unpacking the malicious component inside as well as running it on the infected device. So far, the malicious components that the SDK downloaded only opened a URL inside a hidden browser and clicked on ads which obviously are for the benefit of the crooks. However, security experts claimed that this could escalate to more malicious actions.
“Virus writers are capable of creating additional Trojan modules that will perform other malicious actions. For example, display phishing windows to steal login credentials, show advertising, and also covertly download and install applications,” stated some security experts of Dr. Web on the report they published a week ago.
Security experts were able to identify this malicious behavior on 27 Android games that are all available in the Google Play Store which are installed in over 4.5 million devices. Google was already notified regarding this issue and have yet to comment. But still, eight days after Dr. Web’s report was released to the public, the reported apps are still available on the Play Store so there’s that.
In these kinds of cases, Google usually deactivates the reported malware-laden apps until the developer themselves remove the malicious component. Even though some of the apps are still available up to this day, they might no longer contain the malicious behavior anymore but it’s still better to be safe than sorry so below is the list of the apps containing the Ya Ya Yun’s SDK:
- Hero Mission v1.8
- Era of Arcania v2.2.5
- Clash of Civilizations v0.11.1
- Sword and Magic v1.0.0
- ﺧﺎﺗﻢ ﺍﻟﺘﻨﻴﻦ – Dragon Ring (For Egypt) v1.0.0
- perang pahlawan v1.1400.2.0
- 樂舞 – 超人氣3D戀愛跳舞手遊 v1.0.2
- Fleet Glory v1.5.1
- Kıyamet Kombat Arena v1.1.4
- Love Dance v1.1.2
- Never Find Me – 8v8 real-time casual game v1.0.12
- 惡靈退散-JK女生の穿越冒險 v0.1.7
- King of Warship: National Hero v1.5.0
- King of Warship: Sail and Shoot v1.5.0
- 狂暴之翼-2017年度最具人氣及最佳對戰手遊 v0.2.8
- 武動九天 v1.0.5
- 武動九天 v1.0.7
- Royal flush v126.96.36.199
- Sword and Magic (version depends on a device model)
- Gumballs & Dungeons：Roguelike RPG Dungeon crawler v41.171020.09-1.8.6
- Soul Awakening v1.1.0
- Warship Rising – 10 vs 10 Real-Time Esport Battle v1.0.8
- Thủy Chiến – 12 Vs 12 v1.2.0
- Dance Together v1.1.0
- 頂上三国 – 本格RPGバトル v1.0.5
- 靈魂撕裂 v1.1.0
- Star Legends v1.0.6