Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

SimBad malware infected million Android users through Play Store

Security experts at Check Point uncovered a sophisticated malware campaign spreading the SimBad malicious code through the official Google Play Store. Researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted. SimBad disguises itself […]

SimBad

Security experts at Check Point uncovered a sophisticated malware campaign spreading the SimBad malicious code through the official Google Play Store.

Researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted.

SimBad disguises itself as ads, it is hidden in the RXDrioder software development kit (SDK) used for advertising purposes and monetization generation. Every application developed using the tainted SDK includes the malicious code.

“The malware resides within the ‘RXDrioder’ Software Development Kit (SDK), which is provided by ‘addroider[.]com’ as an ad-related SDK. We believe the developers were scammed to use this malicious SDK, unaware of its content, leading to the fact that this campaign was not targeting a specific county or developed by the same developer.” reads the analysis published by the experts.

“The malware has been dubbed ‘SimBad’ due to the fact that a large portion of the infected applications are simulator games.”

The domain ‘addroider[.]com’ was registered via GoDaddy the ownership is masqueraded by the privacy protection service, RiskIQ’s PassiveTotal reveals that the domain expired 7 months ago.  By accessing the domain users get a login page that appears similar to other malware panels. The ‘Register’ and ‘Sign Up’ links are broken and ‘redirects’ the user back to the login page.

The SimBad malware is also able to redirect Android users to compromised phishing websites and to download more malicious applications either from the Play Store or from a remote server.

Once an Android user downloads and installs an infected application, the SimBad malware registers itself to the ‘BOOT_COMPLETE’ and ‘USER_PRESENT’ intents. In this way, the malware could perform actions once the booting phase has been completed, while the unaware user is using his device.

Once installed, SimBad malware will connect to the Command and Control (C&C) server, and receives a command to perform. It removes its icon from the launcher, thus making it harder for the user to uninstall the malicious app, at the same time it starts to display background ads and open a browser with a given URL to generate fraudulent revenue without raising suspicion.

“‘SimBad’ has capabilities that can be divided into three groups – Show Ads, Phishing, and Exposure to other applications. With the capability to open a given URL in a browser, the actor behind ‘SimBad’ can generate phishing pages for multiple platforms and open them in a browser, thus performing spear-phishing attacks on the user.” continues the expert.

“With the capability to open market applications, such as Google Play and 9Apps, with a specific keyword search or even a single application’s page, the actor can gain exposure for other threat actors and increase his profits. The actor can even take his malicious activities to the next level by installing a remote application from a designated server, thus allowing him to install new malware once it is required.”

SimBad

According to Check Point, Most of the infected applications are simulator games, followed by photo editors and wallpapers applications. Below the list of top 10 apps infected with SimBad malware:

  1. Snow Heavy Excavator Simulator (10,000,000 downloads)
  2. Hoverboard Racing (5,000,000 downloads)
  3. Real Tractor Farming Simulator (5,000,000 downloads)
  4. Ambulance Rescue Driving (5,000,000 downloads)
  5. Heavy Mountain Bus Simulator 2018 (5,000,000 downloads)
  6. Fire Truck Emergency Driver (5,000,000 downloads)
  7. Farming Tractor Real Harvest Simulator (5,000,000 downloads)
  8. Car Parking Challenge (5,000,000 downloads)
  9. Speed Boat Jet Ski Racing (5,000,000 downloads)
  10. Water Surfing Car Stunt (5,000,000 downloads)

The full list of malware-infected apps is available here

This is the campaign in order of time leveraging the Google store, previously reported massive attacks involved CopyCat and Gooligan malware.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SimBad, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]