Download a popular, legit app from the Google Play Store. Decompile it. Add malicious code. Repackage the app. Distribute the now trojan-ized app through third-party Android app sites. This is how advertising malware Ewind, what Palo Alto Networks calls "adware in applications' clothing," infects Android users.
Researchers Yaron Samuel and Simon Conant at Palo Alto Networks have noticed multiple samples of the adware since 2016. Most recently, Ewind has been targeting the apps GTA Vice City, AVG cleaner, Minecraft Pocket Edition, Avast! Ransomware Removal, VKontakte, and Opera Mobile.
Ewind is specifically injecting "adware monetization through displaying advertising on the victim's device," according to the researchers, but Ewind can also collect user's data, forward text messages to itself, and could potentially allow "full remote access to the infected device."
The researchers believe the adware-infected applications, the sites where the apps are available to download, the promoted advertising that Ewind injects, and the attacker "are all Russian."
Ultimately, if an Android device becomes infected with Ewind, it can be instructed by the cyber criminal, noted below as "C2," to carry out almost any command:
Ewind can be instructed using the 'smsFilters' command to forward to the C2 any SMS messages meeting a certain filter criteria. The filter includes matching a phone number or message text. If a message is received from a matching phone number or with matching text, Ewind sends the C2 a request with the event 'receive.sms', including the full SMS text and sending phone number. If both a phone number and text filter match, Ewind informs the C2 with event 'sms.filter'.
The researchers go on to suggest that the adware's ability to steal messages is likely being used to circumvent two-factor authentication by SMS, allowing full access to a user's current messages, contacts, and message history.
Initially, the adware was observed by AutoFocus, a threat intelligence and security service. The researchers found a number of repackaged APKs that were all signed with the same unique certificate.
The team went on to identify the suspicious certificate and found that many of the APKs "included the application name of Anti-Virus and other well-known applications."
We have here an actor not only developing malware for monetization, but responsible for a network of Android App Store infrastructure which has over the years been used to serve tens of thousands of Android downloads in support of his advertising-supported monetization schemes.
Adware is a constant threat for Android users. In 2015, Lookout discovered adware hiding in over 20,000 apps, including Facebook, Twitter, WhatsApp, and Snapchat. The apps were not downloaded from the Google Play Store, but from third-party Android app sites where the popular apps were repackaged with adware and then redistributed.
The adware rooted users' smartphones after being installed, and then added itself as a system application. Users were not able to delete it, even after factory resetting their whole device.
Palo Alto Networks concludes that Ewind currently lives at some apps available on mobincome.org and androwr.ru, and to consider these sites as "low-reputation." It's always a good idea to take caution when downloading apps through third-party sites. Google also recommends using Verify Apps to check if any of your apps are infected with malware.