A new member of the ever growing adware-found-on-Google-Play-list has been found. Previous members include Viking Horde, DressCode and CallJam, among many others. The malware, dubbed “Skinner”, was embedded inside an app which provides game related features. The app was downloaded by over 10,000 users, and managed to hide on Google Play for over two months. Skinner tracks the user’s location and actions, and can execute code from its Command and Control server without the user’s permission. The app was removed from the play store after we contacted the Google security team. While Adware are a common threat to users, Skinner displayed new elaborate tactics used to evade detection and maximize the profits by targeting users with unprecedented precision.

The malware contains a malicious library, which is unpacked after it is installed on a device. Skinner obfuscates the malicious components of its code to avoid detection. The malicious activity begins only once the malware detects a user activity, such as opening an app, to ensure it is run by a real user. In addition, it checks a number of conditions before it launches, including the absence of a connected debugger, and of emulator hardware, and that the app was installed from Google Play. All of these are intended to evade detection by researchers and protection methods. Once initiated, the malware sends its C&C server data about the device, which contains its location and running apps, and requests ads to display.


Skinner adware sourcecode


Figure 4: Evasion checkups used by Skinner


Skinner uses an advanced logic to display illegitimate ads to the user, without raising his suspicion, and raise the probability he will click on them. Instead of simply displaying any ad, the malware checks which type of app the user is using at a given moment and displays a suitable ad. This is a completely new behavior for a mobile adware. Until now, only banker-overlay malware displayed such activity. This sort of tailored “marketing” is likely to drastically increase the malware’s success rate. The four app categories are navigation apps, caller apps, utility apps, and browser apps.

This tactic is unique, and quite innovative. While most Adware rely on mass spread to generate large profits, Skinner could potentially suffice in infecting fewer users to generate the same amount of revenues, but minimize the risk of being caught. The smaller the spread of a malware is, the fewer chances it will raise any alarms and undergo security inspections. We believe this sort of tactic will be adopted and perfected by other Adware in the near future.

Even though this was far from being a large scale attack on users, Skinner demonstrates once again that users cannot rely on downloading apps from legitimate app stores for their safety, and require more advanced protections to guard them. Skinner used custom obfuscation, rather than just copying a known technique from other malware, which makes it much harder to detect. The advanced evasion methods introduced by this malware will only increase in complexity, endangering users worldwide.


Skinner SHA256 hash: