Some Android VPN Apps Contain Adware

I have been doing research on suspicious Android VPNs for a while now. This jammed my Samsung Galaxy S5 so full of applications that I would need to remove a few to install a new one.

It was a regular morning at the office. I was conducting network analysis with my Samsung in front of a work desk when a popup and an annoying children’s’ tune got my attention. I usually close those ads as soon as they interrupt my workflow, but this one really struck me…

You see… I wasn’t using any third-party app while it happened.

I was just browsing my media files, a place where you wouldn’t expect to get slammed with an ad.

A few seconds later I heard the water steam escaping the kettle so I locked the phone screen with a habitual hand gesture and slowly walked to the kitchen to get coffee.

Now as I had recently been reenergized I walked back to the office corner and dove into a detective mode. Further. The popup appeared again. While using Popup Ad Detector the cause became clear: 4 VPNs were the source of the problem: HotSpotVPN, Free VPN Master, Secure VPN, and CM Security Applock AntiVirus.

Ads are supposedly designed to appear on pages when users use the app.

However, in case of outside ad fraud ads pop up while apps are running in the background or even outside the app environment (e.g. ad views placed on the home screen and covering app icons that users must reach to start new apps). As a user, not only do I think it’s treacherous for a privacy app to abruptly intrude my phone screen, but the constant HTTP requests keep the phone CPU heated and drain phone battery.

Summary:

  • Total downloads: 500 000 000+
  • 4 Android apps contain codes that indicate how ad frauds behave
  • 2 Applications have nearly identical code
  • All app developers addresses are based in China.

Hotspot VPN by HotspotVPN 2019

Name: Hotspot VPN – Free Unlimited Fast Proxy VPN
Developer: HotspotVPN 2019
Address: Block 13, 28 Cheung Sha Wan Road, Kowloon, Hong Kong
URL
: https://play.google.com/store/apps/details?id=com.free.unblock.proxy.hotspot.vpn
Package Name: com.free.unblock.proxy.hotspot.vpn [Play Store]

File Size: 10.6 MB
SHA1 Hash: 49b84657a16aaa3a4cd68e327f5ca69603911080
Version: 1.0.6 (7)
Downloads: 500 000+

Methods

The application was downloaded from the Play Store and reversed. The files that were found are shown in Figure 1. –  AndroidManifest where all the permissions, the classes.dex file that contains the code, and other files like images, layout specifications, and so on are specified.

The most important file is classes.dex because based on it one can analyze the way the application works.

Figure 1. Files found in the apk

The apk (Android file format) was reversed in order to extract the code. Identified packages are found in Figure 2. It is worth mentioning that the application code was obfuscated, though it was possible to identify some behaviors.

Figure 2. Identified packages and code

The whole code was analyzed and we found that the applications use the advertisement API from Google, This means that it can show advertisements anytime it wants. Figure 3 shows the um.a.a.class code where the application uses the Token for advertisement.

Figure 3. Code on Google advertisements API

Other code in Figure 4 shows that the application was using the Facebook API advertisement as well.

Figure 4. Code on Facebook advertisements API

Malicious behavior in the traffic

Accessed URLs:

  • adlog.flurry.com
  • ads.mopub.com
  • conf.daydayup.today
  • doc.app.unitemagic.com
  • fv.app.unitemagic.com
  • play.google.com
  • www.example.com
  • www.facebook.com
  • www.google.com
  • www.yahoo.com
  • adlog.flurry.com
  • csi.gstatic.com/csi
  • imasdk.googleapis.com
  • pagead2.googlesyndication.com
  • twitter.com
  • www.mopub.com

REQUEST

GET /edgedl/release2/SwRmBLZ4gN8_137/137_all_MX_optimizationHints.crx3 HTTP/1.1
Host: redirector.gvt1.com
User-Agent: Mozilla/5.0 (Linux; Android 4.2.2; ALCATEL ONE TOUCH 5036A Build/JDQ39) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Mobile Safari/537.36
Accept-Encoding: gzip, deflate
Connection: close

RESPONSE

HTTP/1.1 302 Found
Date: Thu, 06 Jun 2019 18:52:28 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, must-revalidate
Location: http://r6—sn-j5cax8pnpvohm-hxme.gvt1.com/edgedl/release2/SwRmBLZ4gN8_137/137_all_MX_optimizationHints.crx3?cms_redirect=yes&mip=201.141.239.15&mm=28&mn=sn-j5cax8pnpvohm-hxme&ms=nvh&mt=1559846977&mv=m&pl=22&shardbypass=yes
Content-Type: text/html; charset=UTF-8
Server: ClientMapServer
Content-Length: 452
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Connection: close
<HTML><HEAD><meta http-equiv=”content-type” content=”text/html;charset=utf-8″>
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF=”http://r6—sn-j5cax8pnpvohm-hxme.gvt1.com/edgedl/release2/SwRmBLZ4gN8_137/137_all_MX_optimizationHints.crx3?cms_redirect=yes&amp;mip=201.141.239.15&amp;mm=28&amp;mn=sn-j5cax8pnpvohm-hxme&amp;ms=nvh&amp;mt=1559846977&amp;mv=m&amp;pl=22&amp;shardbypass=yes”>here</A>.
</BODY></HTML>
Following the URL
http://r6—sn-j5cax8pnpvohm-hxme.gvt1.com/edgedl/release2/SwRmBLZ4gN8_137/137_all_MX_optimizationHints.crx3?cms_redirect=yes&mip=201.141.239.15&mm=28&mn=sn-j5cax8pnpvohm-hxme&ms=nvh&mt=1559846977&mv=m&pl=22&shardbypass=yes

The application downloads a file with the data in Figure 4, but it is not a common file.  The magic number 4372 does not exist.

Figure 5. Data downloaded by the application

We found that in parts of the code it takes the dimensions of the screen for some purpose, as shown in Figure 6.

Figure 6. Code that gets the screen properties

In other parts of the code we found that the previous function was used for specific purposes, such as when pressing a specific key in a particular context, and when some behaviors were not identified as is shown in the function final void b in Figure 6.

Figure 7. Functions that need to fit something to the screen

The following screenshots show some advertisements that fill the screen while the application is running in the background (connection is turned off):

Figure 8. Ads

Free VPN Master by Freemaster 2019

Name: Free VPN Master – Fast secure proxy VPN
Developer: Freemaster2019
Address: Unit 04-05, 16th Floor, The Broadway No. 54-62 Lockhart Road, Wanchai, Hong Kong
URL: https://play.google.com/store/apps/details?id=com.free.fast.master.unblock.proxy.vpn
Package Name: com.free.fast.master.unblock.proxy.vpn [Play Store]
File Size:
10.6 MB
SHA1 Hash: e12f8e3e49f471a168697bc982006ee04d17ed7e
Version: 2.2.5 (55)
Downloads: 1 000 000+

Methods

The application was downloaded from the Play Store and reversed. The files that were found are shown in Figure 9. – AndroidManifest where all the permissions, the classes.dex file that contains the code, and other files like images, layout specifications, and so on are specified.

As previously, the most important file to study is classes.dex as it shows how the application works.

Figure 9. Files found in the apk

The apk was reversed to extract the code. Identified packages are found in Figure 10.

Figure 10. Identified packages and code

We found that the applications use the advertisement API from Google. Figure 11 shows the um.a.a.class code where the application uses the Token for advertisement.

Figure 11. Code where Google advertisements API is used

Analysis of the second application found that both apks had the same structure and code, but the hash was not the same. The package com.a.a.a.a.a (Figure 11) had an ‘a’ more. It means that com.a.a.a.a.a.a was normal, and the hash was not the same even when the whole code was the same.

Figure 11. Package name com.a.a.a.a.s

Accessed URLs:

  • daydayup.today
  • mopub.com
  • gstatic.com
  • flurry.com
  • appsflyer.com
  • google.com
  • play.googleapsi.com
  • amazonaws.com
  • googleadservices.com
  • yahoodns.net
  • mopub.com
  • unitemagic.com

Conclusion

We think that both applications are the same with slight modifications in the name of packages in order to get a different hash for both apks due to the fact that once they were reversed they had the same code and were obfuscated with the same tool. In contrast, the names of providers on Google Play are different, although it does not mean by different people.

Besides, we found code that uses Google and Facebook API advertisements.

Here’s a screen-recording of their behavior:

video

Secure VPN by SEC VPN

Name: Secure VPN – Unlimited Free & Super VPN Proxy
Developer: SEC VPN
Address: Sea Side Road, Ma Liu Shui, Hong Kong
URL: https://play.google.com/store/apps/details?id=com.sec.free.vpn
Downloads: 1 000 000+

A list of packages that contain the string http:// is:

  • android/support/v4/text/util/LinkifyCompat.class
  • android/support/v4/content/res/g.class
  • android/support/design/d/a.class
  • android/support/design/d/b.class
  • android/support/customtabs/c.class
  • com/facebook/ads/internal/lw.class
  • com/facebook/ads/internal/nu.class
  • com/facebook/ads/internal/jo.class
  • com/facebook/messenger/MessengerUtils.class
  • com/facebook/share/internal/ShareContentValidation.class
  • com/google/a/b/a/ac.class
  • com/google/android/gms/internal/ads/zzoh.class
  • com/google/android/exoplayer2/drm/k.class
  • com/google/android/exoplayer2/text/ttml/a.class

As it can be seen most of them are Ads, on the other hand the packages that contain classes including the “Ads” word are most of them in the android.facebook.ads, however there are others that look interesting due they do not contain any URL. Ac.class fb

  • com/VpnBannerActivity$b.class
  • com/facebook/ads/Ad.class
  • com/facebook/ads/RewardedVideoAd.class
  • com/sec/free/vpn/h/a.class

Once the apk was reversed it was possible to identify a set of packages related with Ads as Figure 1 shows.

Figure 12. List of packages related with Ads

In com.facebook.ads.internal.ac.class was found a code that catches some activities like clicks, dismissed, displayed and other activities. It is in a package called “Ads”, then it can be inferred that is used for monitoring and displaying Ads based on user activities.

Figure 13. Monitored activities.

In the com.google.ads is found the code that manages the Ads using the google API, as can be seen in Figure 14, some parts of codes shows that are made request in order to obtain the Ad.

Figure 14. Strings that show some alerts based on requests to google API.

Also was found a list of classes that manage the process of getting and show ads as can be seen in Figure 15. It considers events, the render of the Ad, the request and how to show the Ad. If each file is analyzed it can be found that validates some features of the application, for example, the internet access as is shown in the screenshot. Also can be found some listeners that even correlates the ids obtained from the API that manages each ID assigned to the Ad, called AdUnitId.

Figure 15. Ad ID process management.

Some Ads from mopub seems to show different ads based on specific properties like country, region, and so on as can be seen in Figure 16.

Figure 16. Properties that possibly are considered to show an ad.

In the com.c.a.c.class was found a code that can read and write logs in the sdcard, however, does not exist evidence that is used for writing and reading just logs as is shown in Figure.

Figure 17. Access to writing and reading, supposedly used for managing logs.

Behavior visual representation:

Figure 18. Some ad examples

 

Security Master by Cheetah Mobile (AppLock & AntiVirus)

Name: Security Master – Antivirus, VPN, AppLock, Booster
Developer: Cheetah Mobile (AppLock & AntiVirus)
Address: Hui Tong Times Square NO. 8, Yaojiayuan S. Rd., Beijing 100123, P.R.C
URL: https://play.google.com/store/apps/details?id=com.cleanmaster.security
Downloads: 500 000 000+

In the file cm.security.main.h.class we identified a list of commented byte codes as is shown in Figure 1. Some of them are URLs with interesting properties described in the following images.

Figure 19. List of byte codes

Figure 20 shows a URL in code 627 that was accessed using Mozilla.

Figure 20. Codes that represent URL values related to ads

The b() function is called from different lines. Although the function is overloaded, just the function that receives an integer is the one that returns a byte code. Figure 2.1 shows a function onPageSelected that validates the state of the application flow in order to show or not show an ad.

Figure 20.1 b function

Some buttons execute some actions, but also some ads, as can be seen in Figure 20.2.

Figure 20.2 Button action + ads

The MenuController is a provider that makes it easy to control a Menu, and as in Figure 20.3, ads are also executed when some properties are set.

Figure 20.3 Ads related to MenuController

Figure 21 shows the URL with the code 627 that takes us to an announcement.

Figure 21. URL related to the first-byte code

The URL with the code 653 takes us to another advertisement shown in Figure 22.

Figure 22. Ad related to the second-byte code

Also was found in the file com.facebook.ads.internal.b.q.class code that requests an announcement from Facebook as is shown in Figure 23.

Figure 23. Code that creates an object for requesting ads to Facebook

If the URL is directly accessed through a web browser as shown in Figure 24, the URL manages ads.

Figure 25. URL of Facebook Ads found in the apk

In the package com were found ads services such as from AirBnB, Facebook, GitHub, Google, unity3d, and others.

Figure 26. Packages related to Ads in the apk.

Conclusion

This application takes it a step further. Instead of constantly showing the ads the app leverages its enormous user base and intrudes less often and randomly (See figure 2. byte code). It uses a more sophisticated approach by popping up the app instead and showing the ads immediately after you try to get back to the home screen.

Spam, slow server speeds and privacy concerns are only a few of the reasons why Free VPNs don’t work:
Related Article: Paid Vs Free VPN

Best alternatives

1# ExpressVPN: Best Premium VPN  2# NordVPN: Best Budget VPN

Andy Michael

Reviewed over 62+ VPNs. Specialized in network forensics, IoT and big data analytics. Former security consultant at ISC.
Andy Michael

Latest posts by Andy Michael (see all)

Leave a Comment