Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Airpush Begins Obfuscating Ad Modules

Created: 02 Nov 2012 17:15:52 GMT • Updated: 23 Jan 2014 18:11:48 GMT • Translations available: 日本語
Costin Ionescu's picture
+2 2 Votes
Login to vote

Many Android apps contain advertising modules provided by third parties in order to monetize their development efforts. Airpush is a company that produces one of the more aggressive advertising modules. Their advertising modules can place ads in the Android notification bar where users are alerted to events such as missed messages or missed phone calls.

Unfortunately, in the most common versions of Android, the notification bar fails to show the user which app actually generated the advertisement. Since these advertisements can appear when the user is not actively using the app, there may be confusion on how to stop the advertisements from appearing in the notification bar. It is worth noting that changes have since been made by both Google and Airpush to better link advertisements directly to apps.

Many users disapprove of this model of advertising which has resulted in a controversy causing waves of not-so-good ratings and comments for some apps. This has prompted app developers to better describe what kind of ads are used before users install an app or, in some cases, to even reconsider using these advertising modules in their apps at all.

Norton Spot is a product designed to deal with this kind of problem by letting users know exactly what actions are performed by each ad platform and which apps contain them.

Symantec Security Response did notice a few Android apps where developers used tools to modify the Airpush modules. For instance, some developers changed strings referencing Airpush from "com.airpush.android" to "com.andipush.androidsdk". There is no functional advantage to do this, so it looks like some developers prefer to hide the presence of the Airpush modules from their users.

Recently, there has been an increase in the number of apps that use random alphanumeric strings to reference the Airpush modules:

  • com.EtrSnehN.vkBWjQlJ103131.Airpush
  • com.XdtXq.jjxnz112220.Airpush

The number of apps using this method reaches into the thousands.

Obviously, individual developers have not all coincidentally begun doing this on their own. Instead, Airpush themselves are now providing a customized version of their advertising modules with unique strings referencing their modules to each developer. They have stated that the reason for introducing this obfuscation is because their competitors are scanning applications to see which developers are using their software.

Such obfuscation techniques can also have an effect on ad network detectors. For example, we downloaded four popular competitor products that normally detect unobfuscated versions of Airpush and, unfortunately, were surprised to find Airpush's techniques successfully bypassed them all.

This type of obfuscation does not affect Norton Spot. Norton Spot will alert you to any applications using Airpush despite the introduction of these customized modules.

If you see Airpush advertisements in your notification bar, you can use Norton Spot for free to find the unwanted application.