General Explanation
Type: Adware
Degree of destruction: average
Prevalence: average
What is an Adware?
Adware is advertising malware that results in showing advertising or appearing multiple banners in your system and encourages you to buy products or use their services. Programmers of these types of malware, use to add relevant codes to notification send services to show advertising and earn more money. By adding their application to android markets, they are trying to encourage more people to use these types of applications.
What is the Fictus malware family?
Fictus classifies as a type of annoying advertising software. Adware is software packets that automatically show advertising when the application executes. Annoying tools are often not destructive but are unwanted and the user is not aware of their installation.
Technical Explanation
This application exists in different android markets by the name of “Du Battery Saver Pro| Power Doctor v3.9.9”. The producer claims the “Du Battery Saver Pro| Power Doctor v3.9.9” application is, dramatically, capable of decreasing the phone battery usage, if the battery of the user’s Android phone holds a short charge time and in most cases shut off immediately. But in fact, this type of malware is a member of the adware family that collects information from the user’s phone and shows advertising to the user, related to this information.
This malware used many advertising SDKs to show ads on the user’s phone “adeco.adsdk.ads” (Adeco is an advertising network for mobile) is one of them. Installing the application initiated with advertising SDKs to show ads, interstitial advertising, etc. Then it will install the real “Du Battery Saver”, hide its initial application activity, and starts the activity of the second application. The problem is that you cannot use all the services of the real Du Battery Saver unless you clicked on the sent ads to the phone and installed the asked applications.
After executing the program, in the main application activity, first, the connectivity to the internet is checked and in the following, it will check through logs in shared preference whether the application is uploading the first time. If it is the first time, it looks after the second apk in the assets/applications folder and checks its size. This file is another version of this application that has a different package name (com.dianxinos.dxbs) than the main application package name (hd.com.dianxinos.dxbs). In the following, an intent from InstallTypeActivity that is extended from BannerActivity class will be called. This class is just for the relevant settings of showing advertisements by adding SDKs into the application.
InstallTypeActivity
Immediately, the application after executing the main activity will send a request to the address “hxxp[:]//s[.]net2share[.]com/servers[.]json” and in response, the addresses of two websites will be sent for connecting: ads02[.]adecosystems[.]com and ads03[.]adecosystems[.]com (which belong to Adeco advertising Co.). Whether what data will be sent as sent package to each one of these addresses will be called from the existing file in the application shared preference named “com.adeco.adsdk.mediation.AdsProviderImplModern.CACHE.xml”. The information consists of an important series of data from the user’s phone which is sent to these advertising websites.
The procedure that is generally performed in advertising packages for showing ads related to user’s preferences is to collect the user’s phone data such as IMEI, DEVICEID, User’s phone location, receiving the connection features of the user’s phone network, phone language, etc. and sends them to the advertising server to receives the ads related to them.
Also, it will send its requests to the server to show advertising in the form of a banner, videos, etc.
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="json_http://ads02.adecosystems.com/ad/1.0/ad.json?request_type=mma&placement=f_game&mcc=310&device_type=phone&package=hd.com.dianxinos.dxbs&aff=net2share&app_version=1&mac=&device_model=sdk&event=r&sdkname=com.adeco.adsdk&sdkversion=0.57.4&carrier=Android&mnc=260&odin=873b95e50a4e7c38be0a99e842c619a4beb1deee&campaign=%2525%2525CAMPAIGN%2525%2525&lat=NaN&device_manufacturer=unknown&created_date=2015-03-24&platform=android&os=19&app=cw2&lon=NaN&ad_width=320&imei=000000000000000&ad_height=50&connectionType=WWAN&device_id=c57e7f52ffc195bc&pub=1780&market=default&ad_type=custom">{"global_opt":{"ai_enabled":false,"ac_secure":false,"ac_enabled":false,"disable_threshold":95}}</string>
<long name="expire_http://ads02.adecosystems.com/ad/1.0/ad.json?request_type=mma&placement=f_game&mcc=310&device_type=phone&package=hd.com.dianxinos.dxbs&aff=net2share&app_version=1&mac=&device_model=sdk&event=r&sdkname=com.adeco.adsdk&sdkversion=0.57.4&carrier=Android&mnc=260&odin=873b95e50a4e7c38be0a99e842c619a4beb1deee&campaign=%2525%2525CAMPAIGN%2525%2525&lat=NaN&device_manufacturer=unknown&created_date=2015-03-24&platform=android&os=19&app=cw2&lon=NaN&ad_width=320&imei=000000000000000&ad_height=50&connectionType=WWAN&device_id=c57e7f52ffc195bc&pub=1780&market=default&ad_type=custom" value="1597831943459" />
</map>
FinishActivity
The goal to call this activity is to install the package.apk file which is inside the assets/applications path, i.e, the second application will immediately replace after installing the initial application and executes. Also, a message will be appeared on the screen based on this that the application is related to the 3.9.9 version of this application, and in the following, the initial application will be hidden.
InterstitialApplication
As it is specified in the Manifest.xml file, the malware author will add more different advertising SDKs to its application. these SDKs consist of MoPub, Adeco AdSDK, AdColony SDK, and MobFox.
Advertising SDKs help the application owners to make money from their application without earning any prices from the users for using the application. SDK is actives the relationship between the programmer and the advertising channel. The appeared ads can be defined in any type of banner, interstitial, video, or domestic advertising.
Interstitial ads have been used in this application which includes the following cases:
- Interstitial Banner Ad: in this type of advertising, according to the developer’s implementation model, a full-screen banner will be shown to the user at a definite time and the user can skip watching the ads after a few seconds if does not interest in watching.
- Interstitial Video Ad: this type of ad with a similar appearance to your original media content will be shown to users when users have the most interest and attention.
<activity android:name=”org.nexage.sourcekit.vast.activity.VASTActivity” android:screenOrientation=”0″ >
</activity>
<meta-data android:name=”com.google.android.gms.version” android:value=”@7F090000″ >
</meta-data>
<service android:name=”com.adeco.adsdk.app.DebugService” >
</service>
<activity android:name=”com.adeco.adsdk.app.InAppBrowserActivity” > </activity>
<meta-data android:name=”com.adeco.analytics.FLURRY_KEY” android:value=”SRRJNWBBVMHGYZ2C2MQG” >
</meta-data>
<activity android:name=”com.adeco.adsdk.app.InterstitialActivity” > </activity>
<activity android:theme=”@android:01030009″ android:name=”com.adeco.adsdk.steps.AppsActivity” android:screenOrientation=”1″ >
</activity>
<activity android:theme=”@android:01030009″ android:name=”com.adeco.adsdk.steps.SponsorsActivity” android:screenOrientation=”1″ > </activity>
<activity android:theme=”@android:01030009″ android:name=”com.adeco.adsdk.adpath.InstallActivity” android:screenOrientation=”1″ > </activity>
<activity android:theme=”@android:01030009″ android:name=”com.adeco.adsdk.steps.InstallTypeActivity” android:screenOrientation=”1″ >
</activity>
<activity android:theme=”@android:01030009″ android:name=”com.adeco.adsdk.app.OverlayActivity” >
</activity>
<receiver android:name=”com.adeco.adsdk.receivers.AdsReceiver” >
<intent-filter >
<action android:name=”android.net.conn.CONNECTIVITY_CHANGE” > </action>
<action android:name=”android.net.wifi.WIFI_STATE_CHANGED” >
</action>
</intent-filter>
</receiver>
//MoPub <activity android:theme=”@android:01030010″ android:name=”com.millennialmedia.android.MMActivity” android:configChanges=”0x000000b0″ >
</activity>
<activity android:name=”com.millennialmedia.android.VideoPlayer” android:configChanges=”0x000000b0″ >
</activity>
<activity android:theme=”@android:01030011″ android:name=”com.vdopia.android.preroll.VDOPrerollActivity” android:screenOrientation=”0″ android:configChanges=”0x000000a0″ >
</activity>
<activity android:theme=”@android:01030011″ android:name=”com.jirbo.adcolony.AdColonyOverlay” android:configChanges=”0x000000a0″ >
</activity>
<activity android:theme=”@android:0103000A” android:name=”com.jirbo.adcolony.AdColonyFullscreen” android:configChanges=”0x000000a0″ >
</activity>
<activity android:theme=”@android:0103000A” android:name=”com.jirbo.adcolony.AdColonyBrowser” android:configChanges=”0x000000a0″ >
</activity>
<activity android:name=”com.adsdk.sdk.banner.InAppWebView” android:configChanges=”0x00000fb0″ > </activity>
<activity android:name=”com.adsdk.sdk.mraid.MraidActivity” android:configChanges=”0x00000fb0″ >
</activity>
<activity android:name=”com.adsdk.sdk.video.RichMediaActivity” android:configChanges=”0x00000fb0″ android:hardwareAccelerated=”false” >
</activity>
About installed file named package.apk and is in the assets path of the application:
Generally, this file is the main file of the application that the user installed for the sake of that. The aim of this application is to considerably decrease the phone battery usage by DU Battery Saver Pro|Power Doctor v3.9.9 application if your android phone battery holds a short charge time and in most cases off immediately. Also, it can optimize your phone function in most parts, and showing the existing applications list in the phone and which one uses the phone more, help the user to optimal manage the phone applications. The note that is in the checking of this file is that it used the advertising packages (Facebook and tapjoy) in its application and therefore like other applications of the malware family, it can easily show the relevant advertising in the user’s phone by collecting the user’s phone data and, for the sake of profitability, sends them to its server and proposes other application to the user.
How to deal with it and disinfect the system
To make sure the device is not being infected, install the database file of Padvish Antivirus and keep it up to date and scan the system.
Preventing the phone from being infected:
- Avoid downloading and installing applications from unauthorized resources and markets.
- Pay attention to requested permission, when installing
- Continuously back up files and information on the phone
- Do not use unofficial application versions. Applications such as Telegram and Instagram have many unofficial versions and most of them are distributed through the Telegram channel.