by Oren Koriat and Andrey Polkovnichenko, Cyber Analysts, Check Point
‘Skinner’, a new piece of adware, has been identified on the Google Play in Q1-2017 and was downloaded by a reported 10,000 users before being identified as malware. Embedded in a game related app, Skinner remained undetected for almost two months.
The adware, one of an increasing number of such malicious software found this year, is similar to previous species including CallJam, DressCode and Viking Horde. Discovered by Check Point Software Technologies, Skinner was removed from the Play store by the Google security team.
With so many new threats identified from various malware sources, why is Skinner of any particular note?
Unlike many of its predecessors, Skinner was a more advanced threat that demonstrated some unique and highly innovative tactics to both evade detection and to perform its malicious activity.
Adware isn’t new and all variants of this kind of malware exist to target users with ads specifically designed to re-direct revenue from an IoT device. Effectively gaining control of your device and displaying only ads that the source attacker can profit from, adware is big business.
What made Skinner unique is the level of precision and sophistication employed to more highly target these ads and to avoid security systems. Containing a unique library of malicious coding, Skinner was able to unpack the components of its software with great self-preservation including running checks to ensure it only launched under real conditions of a user opening an app as well as only operating in the absence of emulation and debugging hardware. Once initiated, Skinner contacted its Command and Control server to request highly targeted ads based on the users running apps and precise location. This sophisticated level of targeting not only increases the probability of a user clicking on an ad but also decreases suspicion over the ad placement. Although the technology has been seen before in banker overlay malware, this is the first time that the tactic has been employed with adware, making Skinner a unique and highly innovative threat.
The benefits to cyber criminals of using adware with the same features of Skinner are such that the profits are maximised in fewer infections because of the higher success rate. The problem for cyber security specialists is that the less widespread an infection of malware the less likely it is to be reported. If a threat remains undetected then it is likely to remain at large for longer.
So, although Skinner was a relatively low-level infection in terms of the number of users it affected, it does provoke a worrying shift in the way adware is being developed. The potential for copycat malware adopting these same characteristics is huge and the nature of the beast will make it much harder for security services to detect. Yet again, the underlying takeaway is just how little trust one can place in the practice of downloading apps from legitimate sources such as Google Play.