Investigating Black Market SDKs

We have uncovered some malicious SDKs in a few Android apps. The ones we have found are engaged in click fraud, but there are no doubt many others in our corpus that we haven’t identified yet. The goal of this project is to study how these malicious SDKs make their way into apps and how they are distributed.

Research goal: Based on the code that we have identified, we should search various online forums and malware distribution sites in order to determine how these malicious SDKs spread. Because we cannot find them online anywhere, we suspect that they are being distributed in underground forums. We would also like to identify new malicious SDKs that we currently aren’t detecting.

Potential studies:

  • Based on malicious behaviors we have observed, create heuristics that we can use to search our app database for additional malicious SDKs.
  • Study online underground forums that distribute these malicious SDKs so that we can examine and fingerprint them, allowing us to detect their presence in other apps.