Researchers recently revealed in an online article(https://www.reddit.com/user/ph...),that a malicious plug-in named UPSDK is intentionallystealing Google AdMob data in large scale, and abusing user permission.
UPSDK is an ad SDK developed by UPLTV, integrating with apps to serve in-app ads to help developers monetize.However, mutiple vicious behaviors of the SDK were detected.Via hook and reflection codes, it is used to illegally obtain ad data of Google AdMob. The stolen data is then transmitted to UPLTV’s server.
UPLTV is a Shanghai-headquartered company focusing on mobile games publishing and monetization. Itoffers ad SDK andgame-publishing business.
According to the article, the malware has already been detected in at least 5 game apps, including“The Greedy Cave”, “Bingo Party”, “BarbarQ”, “Tankr.io”and “Word Crush”. Among them, “The Greedy Cave” is developed by Avalon-Games, a well-known Chinese publisher, and “Barbar Q”isdownloaded over 10 million times.
The article disclosed full details of how the massive data-stealing is done by UPLTV. Simply put, UPLTV’s SDKcontains a fraudulent executable file named d11501a1198gh789dc1s8uo0pmkv090c.key, it could be decryptedto a jar file dex_adrtwards.jaraccording to theinstruction of its server. The jar file is with illegal intrusion codes, and will be invoked to reflect Google AdMob SDK under server’s command. Thus, Google Ad data is secretly stolen and uploaded to UPLTV.