SimBad malware infected million Android users through Play Store

Posted by & filed under Ειδοποιήσεις.

Security experts at Check Point uncovered a sophisticated malware campaign spreading the SimBad malicious code through the official Google Play Store.

Researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted.

SimBad disguises itself as ads, it is hidden in the RXDrioder software development kit (SDK) used for advertising purposes and monetization generation. Every application developed using the tainted SDK includes the malicious code.

“The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘addroider[.]com’ as an ad-related SDK. We believe the developers were scammed to use this malicious SDK, unaware of its contentleading to the fact that this campaign was not targeting a specific county or developed by the same developer.” reads the analysis published by the experts.

“The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.”

The domain ‘addroider[.]com’ was registered via GoDaddy the ownership is masqueraded by the privacy protection service, RiskIQ’s PassiveTotal reveals that the domain expired 7 months ago.  By accessing the domain users get a login page that appears similar to other malware panels. The ‘Register’ and ‘Sign Up’ links are broken and ‘redirects’ the user back to the login page.

The SimBad malware is also able to redirect Android users to compromised phishing websites and to download more malicious applications either from the Play Store or from a remote server.

Once an Android user downloads and installs an infected application, the SimBad malware registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents. In this way, the malware could perform actions once the booting phase has been completed, while the unaware user is using his device.

Once installed, SimBad malware will connect to the Command and Control (C&C) server, and receives a command to perform. It removes its icon from the launcher, thus making it harder for the user to uninstall the malicious app, at the same time it starts to display background ads and open a browser with a given URL to generate fraudulent revenue without raising suspicion.

“‘SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.” continues the expert.

“With the capability to open market applications, such as Google Play and 9Apps, with a specific keyword search or even a single application’s page, the actor can gain exposure for other threat actors and increase his profits. The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.”



According to Check Point, Most of the infected applications are simulator games, followed by photo editors and wallpapers applications. Below the list of top 10 apps infected with SimBad malware:

  1. Snow Heavy Excavator Simulator (10,000,000 downloads)
  2. Hoverboard Racing (5,000,000 downloads)
  3. Real Tractor Farming Simulator (5,000,000 downloads)
  4. Ambulance Rescue Driving (5,000,000 downloads)
  5. Heavy Mountain Bus Simulator 2018 (5,000,000 downloads)
  6. Fire Truck Emergency Driver (5,000,000 downloads)
  7. Farming Tractor Real Harvest Simulator (5,000,000 downloads)
  8. Car Parking Challenge (5,000,000 downloads)
  9. Speed Boat Jet Ski Racing (5,000,000 downloads)
  10. Water Surfing Car Stunt (5,000,000 downloads)

The full list of malware-infected apps is available here.

This is the campaign in order of time leveraging the Google store, previously reported massive attacks involved CopyCat and Gooligan malware.


The information contained in this website is for general information purposes only. The information is gathered from Security Affairs while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.