SimBad adware apps downloaded from Google Play nearly 150 million times

Credit: ID 118943519 © Mykyta Dolmatov |

Android users who’ve downloaded at least one of 210 hugely popular apps may have exposed their smartphones to adware that could become a much larger problem in the future. 

Researchers at Israeli cyber security firm Check Point have blown the whistle on a dodgy software development kit (SDK) that rendered hundreds of popular Android apps a threat to their users. 

Google has now removed the malicious apps from the Google Play app store but only after potentially millions of devices were infected. 

The SDK, a malicious advertising platform dubbed ‘RXDrioder’, allows apps that use it to receive harmful instructions form the domain      

Developers of the 210 affected apps most likely victims of the SDK as are the millions of users who installed the apps, which are mostly simulator games like “Snow Heavy Excavator Simulator”, an app with 10 million installs from Google Play. 

“We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer. The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games,” Check Point researchers said

Other popular simulator apps affected by the bad SDK with at least five million installs included Hoverboard Racing, Real Tractor Farming Simulator, Ambulance Rescure, Heavy Mountain Bus Simulator 2018, Fire Truck Emergency Driver, Farming Tractor Real Harvest Simulator, Car Parking Challenge, Speed Boat Jet Ski, Water Surfing Car Stunt, Offroad Wood Transport Truck Driver 2018, Volumen booster & Equalizer, Prado Parking Adventure, and Oil Tanker Transport Truck Driver. 

Users likely wouldn’t notice the malicious app since the malware instructs the device to remove the app icon from the device launcher, making it harder to uninstall the app while it displays ads in the background. 

Besides fraudulently distributing ads among infected devices, the malicious apps can generate phishing pages and then open them in a browser, lending itself to targeted phishing attacks against specific users. 

Should SimBad’s owners choose, they also have the option to remotely install other apps and open a web page in a browser. 

The cyber security firm also exposed an SDK that has been used a dozen apps distributed in China outside of Google Play on Tencent MyApp, Wandoujia, Huawei App Store, and Xiaomi App Store. 

The apps had been downloaded an estimated 111 million times, accordion to Check Point, and are the first known example of of malicious apps that bypass the Android sandbox to install malicious apps. 

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags GoogleAndroidadwareCheck Point Software Technologies

More about Check PointGoogleHuaweiSpeedTransportXiaomi

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts