Stealing apps, installing ads

A while back I blogged about “offerwalls” that were collecting leaked user data. But now it seems that not only users are under attack. Recently while browsing Reddit, I found the account of a popular app developer who claims that another developer on the Android Market had stolen his app, added ad spam code to it, and uploaded it under his own account with the same name. After some research I discovered that this was, in fact, the case

The app, called ElectricSleep was originally created by Jon Willis. You can find it


According to the description, ElectricSleep can “Improve the quality of your sleep with this smart alarm clock. ElectricSleep is an alarm clock that records your sleep cycles and wakes you up gently during a light sleep cycle. The sleep data it records is saved and analyzed so that you can understand and improve upon your sleeping habits.”

In comparing the original app to the stolen version, the first obvious sign of tampering was in the permissions:

The real app does not ask for Location permission:

So in researching what the copied app does, I was able to discover that a Pay-Per-Install library was added to the original code. The library comes as part of an SDK from a company called AirPush:

Airpush does exactly what its name states. It pushes different types of advertisements to end users, and these advertisements generate revenue for the app developer, or in this case, the app copier. How much money can be made? Well according to Airpush’s website:

“Airpush developers earn CPM’s in the $6 – $40 range”. CPM stands for “Cost Per M”, or cost per thousand. This means that Airpush pays the developer every time 1,000 impressions are made. How much is paid is in constant fluctuation.

Essentially what has happened is that a rogue developer has downloaded Mr. Willis’ app, added pay-per-install code, and then uploaded the modified app as his own under a different developer account. The offending app has since been removed, but the developer account of the infringer is still active.

Users are no doubt sick of intrusive advertising without warning. As a result, another developer has released “AirPush Detector” which is capable of detecting advertising frameworks installed in apps. While these Pay-Per-Install services are not illegal, they can be intrusive, and stealing apps just to add on advertising code is definitely in violation of the Android developer License agreement.

AirPush Detector can be found


Stealing apps, installing ads

Your email address will not be published. Required fields are marked *



Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox