Lookout specialists found that more than 440,000,000 users downloaded and installed 238 applications from the official Google Play catalog, infected with the BeiTaPlugin advertising library.
Since the researchers promptly notified Google of their discovery, and the company contacted the application developers, currently 230 problematic applications have already been removed from the catalog or updated to safe versions that do not contain BeiTaAd.
The BeiTaPlugin SDK has existed since the beginning of 2018, and for the most part it worked as originally intended: it provided application developers with a simple tool for displaying advertisements within their applications. The SDK was trusted by developers because it was created by the famous Chinese company CooTek, which used it as an advertising component for its own TouchPal application (a keyboard installed over 100,000,000 times).
BeiTaPlugin began to abuse its capabilities only in the spring of this year. In February-March, developers began to notice that the number of advertisements and pop-up windows increased, and they appeared literally out of the blue, outside of running applications and blocked access to the screen and phone functions. Lookout experts write that it’s almost impossible to use a device because of such an advertisement: it makes it difficult to answer calls, work with applications, and so on.
Apparently, the authors of BeiTaPlugin understood that such behavior of their SDK would not be perceived too well and tried to disguise aggressive advertising practices by obfuscating the code. In addition, the delay in displaying any advertisements for 24 hours after the first launch of an infected application was used, making it difficult to detect the exact source of advertisements.
A complete list of problematic applications that ever contained BeiTaPlugin can be found in the Lookout expert report. Users are advised to update such applications or remove them altogether from their devices.