App “Component” Downloads Apps Onto Devices

We often talk about the security risks when dealing with third-party app stores. Previous research has shown that third-party app stores are often a hotbed of malware, specifically, malicious versions of popular apps. Aside from malicious apps, we are now seeing a marked increase of “downloader apps” in these stores, whose primary function is to download other apps that may lead to security risks for mobile users.

Downloader Apps Seen in a Third-Party App Store in China

Our engineers decided to look at one of the most popular third-party Android app stores in China. They found there are thousands of apps in the site that are intentionally packed to lure users into downloading other apps.

One example would be 火云邪神 (which roughly translates to “Fire Dragon Demon”), which pretends to be a game app. Our analysis reveals this is merely a repackaged app displays pop-up windows upon installation. The message informs users that the system lacks some core components required for the app and urges them to fix this to get a “better user experience.” The download begins once the “Fix” button is clicked.

Figure 1. (L) Game app; (R) Message stating that the device needs to download components

While the “Fix” downloads, the app displays images of other apps with messages that urge users to click them. Clicking on any of the images will lead to downloading other apps. We noticed that the downloaded apps are not necessarily the sames ones advertised in the images.

If the user does not click the image, the image will remain on the screen until the download is complete. Users have the option of removing the image by clicking an “X” mark but another image will replace it immediately.

When the download is complete, the user will be asked to install the “component.” This component is actually a downloader, com.andriod.frames.

Figure 2. The component is com.andriod.frames

After installation, com.andriod.frames runs in background. It downloads other apps and requests the user to install them.

Figure 3. com.andriod.frames runs in the background and downloads other apps

The Risk of Downloader Apps

We looked at certain apps in our database and found that their package names appear to be random.

Figure 4. Random package names for apps

We also noticed that they are all packed with a package, com.android.yuyouwall, which works as the main activity to lure users to download apps like com.andriod.frames. Based on these, we believe these apps are auto-generated.

Figure 5. Code in app that shows the downloading routine

As of this writing, we have seen around 5,000 apps with this behavior in the same third-party app store. These apps present themselves as games or other popular apps like a Bluetooth file transfer app. They trick users into downloading supposed core components or data packages, which are actually just downloaders.

This type of app behavior poses serious security risks for mobile devices. The downloaded apps could be malware, or apps that spam users with ads. Despite the ‘makeshift’ security measure that is offered by requiring user permissions before app installation, the constant notifications and pop-ups are still a nuisance.

Be cautious when downloading from third-party app stores. Try to only download apps from official app stores (Google Play Store) or official developer sites. Additionally, mobile users should invest in a mobile security solution to truly protect their devices against threats like these.

Trend Micro™ Mobile Security protects users from these downloader apps and detects them as ANDROIDOS_YUYOU.HBT.

We are currently working with the app site to address this issue.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

App “Component” Downloads Apps Onto Devices