Skip to content

Snoopy Android Adware Poses as Power-Saving Patch


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

An adware campaign currently running on mobile devices in the US advertises an Android program that claims it can preserve the level of charge on your particular mobile device’s battery for as long as mechanically possible.

But the campaign’s deliverable — an Android app named, variably, Battery Doctor or Battery Upgrade — delivers more than the advertised functionality. Both are adware, and both make hidden calls back to their advertising servers, delivering a wealth of information about the phone’s owner and the device itself.

In this investigation, taken at the request of PCWorld, I found that the Battery Upgrade variant seems to cross a software distribution method ethical line. Battery Upgrade has been deliberately designed to take the appearance of an operating system patch or update. The untrained eye may miss the subtle clues that the software is not what it appears to be. Worse: Just visiting the Web page where the program is hosted triggers a ‘push’ download of the Android app from the server.

Here’s a sample of one of the banners in use that leads you down the path.

Take a look at the page which opens in the browser if you happen to click this banner ad:

This banner, and the subsequent download page, are both hosted on the Web domain, which (as I write this) resolves to just one IP address,

A particularly nice touch is the addition of a replica of the notification bar at the top of the image. When viewed fullscreen in the mobile browser window, the urgent wording and careful use of the yellow exclamation mark icon, seems to deliberately give the impression that the phone received an urgent over-the-air update from their wireless carrier. Nothing of the sort has occurred.

In fact, the network activity recorded by “victim” phones revealed that the phone retrieved and displayed nothing more than a full-screen ad from A single click on the ad prompts the immediate download of a file named Battery Upgrade (Touch to Start).apk. Most of the browser window is taken up with the helpful explanation of how to turn off the restriction that only permits installations of software obtained through the Google Market—that is, if you wish to install this IMPORTANT! “update.”

Once the app’s installed, it appears on the desktop along with any other apps. By odd coincidence, it manages to be the only app where the letters of its name look slightly broken, though it’s through no fault of its own.

The first thing I did was tear the file apart to browse its source code. In the course of digging around in the code, I stumbled upon the domain name of, so I took a look.

The link redirected me to the Google Market which, because I was browsing with a PC, displayed this version of the Market page for something called Android Battery Doctor by Android Doctor. As you can see above, the last person to review the app had an experience very similar to mine, and wraps up quite succinctly the principal problems with the app: a big fat Meh enhanced with an Annoying ad popup and topped off with a heaping helping of I accidently signed up for something.

Just for comparison, I pulled down both Battery Doctor and Battery Upgrade, de-DEXed them, and opened the Java source in a Java decompiler. This is how the decompiler displays the classes, or code sections, within the apps:

On the left is our Battery Doctor app, as downloaded directly from On the right, the Battery Upgrade app. In most respects the code is closely related, but there are a few extra libraries — github.droidfu and google.common — bundled into the Upgrade app. Neither of these libraries of Java commands are malicious; They just add functionality to the app that isn’t present in the Doctor version. androiddoctor.battery and androidupgrade.battery handle the functions in the app which enable or disable power-hungry features on the phone. is a (benign) library used by app developers who use the Localytics service to monitor their app’s functionality.

The mobsqueeze and classes concern me for reasons I’ll get to in a minute.

Battery Upgrade’s opening screen is … Ow! My eyes!

When the program first executes, this overview window appears. As you can see, it relays some information about the battery and running apps. Oddly, for a program whose ostensible purpose is the minimizing of power consumption, a second pie chart on the right side of the screen concentrates on available storage space. Not only that, but it completely blows the logic of any sensible color scheme. Free storage represented by red or yellow? Is it bad not to have used every byte of storage? And what’s with used storage being represented by green or slightly darker yellow?

Meanwhile, immediately upon execution (and invisibly to the user), the program begins phoning home to its parent ad server,

This screenshot from the Dalvik debugger, a component of the Android SDK, shows the internal activity of all applications running on the virtual device where we tested the app. In these calls, the Battery Upgrade process, indicated on the screenshot as process id (pid) 648, making an ad call on the Mobsqueeze server for a campaign named eversave. Hey, I knew I’d heard of them before. They recently — like, just a couple weeks ago — made a list of Web sites that are “engaged in the distribution of malware.”

What an unexpected coincidence.

And here is a peek inside the source code of the app where it makes this ad call. Amusingly, the creators named this behavior the SqueezeActivity. I never really thought of a mob squeeze as desirable, no matter the context, and I still don’t.

Meanwhile, back in the user-facing part of the app…

Pay attention to the tabs at the top of the screen, however. The two on the left, highlighted in green, are no-ad areas in the “free” version of the product. Selecting any of the tabs highlighted in red trigger the app to display another full-screen ad, but more on that later.

This is the settings menu, where the primary value of the program lies: It can turn off your WiFi radio, and other RF-heavy, power-consuming components of the phone’s hardware. And…that’s about it. It’s also the only functional part of the app other than the overview page where you won’t be bombarded with ads like this:

Let’s take a closer look…

That’s what you see when you try to click one of those red-highlighted tabs.

Meanwhile, inside a section of code called (I kid you not) BaseStarReceiver, the app sends a message to let that the program is displaying the full-screen banner ad.

You know who else used Base Stars. Freeze, human!

And look, there’s only one button: Continue.

Wait, I didn’t actually just give you permission to take my email address right out of my Google account and give it to some other company, did I?

Oh? I did? Well thanks for nothing. I guess I’ll go tune my spam filters, now.

But there’s nothing wrong with displaying a few ads within the program window, is there? Well, not really…unless you’re doing something more than just that. Like “Sending User Info…”

The program loads a service called NotifAdSDK, which checks in (and sends along your profile information) every four hours.

Let’s take a closer look at what profiling information about the device, and its user, Battery Upgrade sends back to its home server, Looks like some basic information about the device itself: its screen size; the version of the browser and OS on the device; the program which is generating the traffic (com.androidupgrade.battery) and its version; the name of the campaign (eversave1); the device’s manufacturer and model; the network the device uses; the phone’s coarse (mobile network) or fine (GPS) location; the IMEI and phone number; the app’s API key, and a unique identifier for the device.

While this seems fairly intrusive out of context, it’s surprisingly common for the ad code in mobile apps that display ads to retrieve this kind of detailed profiling information.

Directive fulfilled.

Once you go through the “free upgrade” process, the program shifts its data mining into high gear.

In this case, the program seems to be data-mining the phone. The function above, a part of the mobsqueeze code named LeadInfo, queries the phone for Google Account information, and uses the name from the Gmail settings on your phone.

Hey, you gave it permission to do that, right? You totally knew what you were getting into when you unintentionally clicked a banner ad; had an Android app unceremoniously download itself to your phone; were convinced by the descriptive text that it was some kind of legitimate update; clicked the app to install it because you thought it was some kind of update; then scrolled all the way down to the bottom of the permissions list and then expanded the part at the bottom which says “Show,” because you’re just the kind of Android user who scrutinizes every detail of every app you install. Right?

So let’s take a look at the servers — or should I say, server — involved in the distribution of the app and the ad tracking and serving. As it turns out, all the domains involved with this thing are hosted on the same machine. There’s even another domain I hadn’t encountered yet: I think I can see now where this is headed. Thanks, Robtex.

Bottom line, the app isn’t malicious, but does have seriously intrusive elements that might be considered undesirable by some users and/or their employers—and if the adware guys can do it, so can the malware makers. The installation process clearly draws on effective social engineering techniques that have been well refined in the world of Windows malware. I mean, it’s basically the same social engineering technique as was used by GGTracker; only, it doesn’t try to send SMS messages to fee-based services. It makes its money the old fashioned way: targeted marketing and data mining its users.

And it’s not difficult to see how, say, a large corporation, government agency, or military might eschew an app that can surreptitiously obtain sensitive data like the user’s identity, phone IMEI, and fine location coordinates, and exfiltrate that data behind the scenes using whatever networking is available, without the user even being aware that it’s being done.

We still don’t know who’s behind the adware. The domain WHOIS data for all three domains has been hidden behind a private registration. For now, the “your battery is running out of juice” ad campaigns have run out of juice. I think it’s fair to assume, at this point, none of them are up to any good, and you shouldn’t trust the lot of them.

Solera blog stats

%d bloggers like this: