AdDown is a type of Android adware that shows ads to infected users, collects personal data on its victims, and secretly installs apps without the user's knowledge. This adware was discovered in January 2015. Trend Micro says it detected the adware in over 800 apps that were uploaded on the Play Store, usually within small utility apps, such as wallpaper changers, photo editors, and flashlight apps. AdDown has evolved into three different variants.

The first variant, Joymobile, can be used to conduct remote code execution. It is also capable of installing other APKs, and it can do this silently if the device is rooted. Its communication channel with its C2 server is unencrypted.

The second variant, Nativemob, has a different code structure and a few new features, such as ad behaviors and utilities. The silent application installation feature was removed, but application installation that involved user confirmation remained. It also collects more user information the previous variant and sends it to its C2 server after encoding it in base64.

Xavier, the third variant, has been detected in seventy-five applications uploaded to the Google Play Store. It downloads code from a remote server and then loads and executes it. Xavier avoids detection using string encryption, internet data encryption, and emulator detection. Xavier can avoid both static and dynamic analysis and has the abilitiy to download and execute additional malicious code.

Technical Analysis

  • Trend Micro researchers provide technical analysis here.
  • BleepingComputer provides technical analysis here.