Security
Headlines
HeadlinesLatestCVEs

Headline

Adware found on Google Play — PDF Reader servicing up full screen ads

Categories: Android Categories: News A PDF reader found on Google Play with over one million downloads is aggressively displaying full screen ads, even when the app is not in use.

(Read more…)

The post Adware found on Google Play — PDF Reader servicing up full screen ads appeared first on Malwarebytes Labs.

Malwarebytes
#android#mac#google#pdf

A PDF reader found on Google Play with over one million downloads is aggressively displaying full screen ads, even when the app is not in use. More specifically, the reader is known as PDF reader - documents viewer, package name com.document.pdf.viewer. As a result, this aggressive behavior lands it in the realm of adware. Or as we call it, Android/Adware.HiddenAds.PPMA.

Catching the adware

Catching this adware in real time is a game of install and wait. It takes a couple of hours before the PDF app will display ads. This long delay is in order to make it harder to track down which app is causing the ads. For example, full screen ads displaying immediately after install would likely result in quick a uninstall. With this in mind, I plugged my test phone into my laptop with Android Device Monitor running. Among other tools, Android Device Monitor includes LogCat which logs all activity on an Android mobile device. I then installed PDF reader - documents viewer, package name com.document.pdf.viewer, directly from Google Play. Thus, my waiting game begins the morning of August 22nd.

To my surprise, at 15:04 I heard my test phone sound a charm. My expectation from previous testing is that it takes longer before an ad displays. Before unlocking the screen, I checked my LogCat logs.

_08-22 15:04:55.348: I/ActivityManager(765): START u0 {flg=0x14c00004 cmp=com.document.pdf.viewer/.ads.PPMActivity} from uid 10277
_

The keyword is ‘START’ in the log. What starts is an Ad SDK. This time, from the PDF reader’s special in-house Ad SDK, com.document.pdf.viewer.ads.PPMActivity. Unlocking the lock screen, another important log comes in.

08-22 15:04:56.318: I/ActivityManager(765): Displayed com.document.pdf.viewer/.ads.PPMActivity: +942ms

Indeed, looking at the phone there is a full screen ad “displayed."

Soon after, another Ad SDK starts in the logs.

08-22 15:05:34.227: I/ActivityManager(765): START u0 {flg=0x10000000 cmp=com.document.pdf.viewer/com.facebook.ads.AudienceNetworkActivity (has extras)} from uid 10277

Once again, another ad displays. This time it is a video ad.

08-22 15:05:34.927: I/ActivityManager(765): Displayed com.document.pdf.viewer/com.facebook.ads.AudienceNetworkActivity: +555ms

After the initial ads, they come more frequently. Each time, the start of ads is signified by a charm sounding on the mobile device. Henceforth, a full screen ad is waiting. Immediately after the first ad is a video ad.

Don’t blame the Ad SDKs

PDF reader uses an array of common Ad SDKs and its own Ad SDK. Facebook Ads is shown in the log above, but we also observed it using Applovin along with others. In addition, it uses an in-house Ad SDK contained in com.document.pdf.viewer.ads.PPMActivity. Although the use of these common Ad SDKs is shown displaying ads, it is not necessarily their fault. The issue is displaying ads where they ought not to be displayed. Any of these ads within the app, whiling using the app, is fair game. Moreover, Ad SDK’s like Applovin and Facebook Ads are necessary to keep apps free on the Play Store. It is only when the ads start displaying outside the app at random that this qualifies as adware. It is the PDF reader app that is wrongfully using these Ad SDKs.

Not all PDF readers are the same

There are many good PDF readers on Google Play. However, this one has some oddities signaling red flags right from the Google Play Store description.

Note the Mature 17+ content rating. For what reason does a PDF reader need a mature rating? Another clue something is not right is the developer’s name of Fairy games. I get diversifying the kinds of apps you provide, but odd developer name for anything other than gaming apps.

Am I infected?

If you are thinking to yourself, “I have a PDF reader installed, am I infected!?” here are a few things to check. Are you receiving full screen ads? If yes, do you have an icon that looks like this?

If you do, you can uninstall from Apps info.

More easily, you can install Malwarebytes for Android and use our free scanner to remove.

Another one slips through

From what we can tell from previous versions of PDF reader - documents viewer, it has existed since November 2021. Each version thereafter serves ads just like the most recent Google Play version. Although we cannot verify if it existed on Google Play since 2021, it is likely the case. If you have a lot of apps installed on your mobile device, this one can very hard to track down. Another reason to not blindly trust you are safe while installing exclusively from Google Play. Even if the Play Store is by far the safest place to install apps on Android, it can fault from time to time as well. Having an anti-malware scanner, or anti-adware in this case, is a good idea. Stay safe out there!

App Information

Package name: com.document.pdf.viewer

App Name: PDF reader - documents viewer

Developer: Fairy games

MD5: CDA77D85D5B733C89F53254F11F3F372

Google Play URL: https://play.google.com/store/apps/details?id=com.document.pdf.viewer

Malwarebytes: Latest News

Large eBay malvertising campaign leads to scams