“Updates for Samsung” — from a blog to an Android advertisement revenue goldmine of 10,000,000+ users

Alex
Alex
Jul 4 · 4 min read

The latest Android OS comes in countless varieties of vendor builds and versions. Are you aware of what else is countless about Android OS? It is the amount of complex and often privacy-invasive advertisement frameworks available. In addition, it seems that the aforementioned facts are being exploited for easy income.

The above eye-catching app exists on the official Android OS application store. How did the developer trick 10,000,000+ users into installing it? I am going to put my money on the fact that he or she named the app “Updates for Samsung”. It would be wrong to judge people for mistakenly going to the official application store for the firmware updates after buying a new Android device. Vendors frequently bundle their Android OS builds with an intimidating number of software and it can easily get confusing.

The main “chunk” of the content for this app comes from it rendering a blog website updato[.]com on the main screen of the app. It features some news and android-related tutorials.

A user can search for their specific firmware in the “Download Firmware” section of the app. Besides being stuffed with advertisement frameworks and not being affiliated with Samsung (yet distributing their firmware), the app offers paid subscriptions for the downloads of the said firmware. A user can get an annual subscription for Samsung firmware update downloads for a small fee of $34.99. Interestingly, that doesn’t happen through the official GooglePlay subscriptions. The app simply asks for your credit card info and sends it to an API endpoint under updato[.]com over HTTPS.

There is a shady peculiarity about these firmware downloads. You may have noted from the screenshot above that the app offers both free and paid options for its downloads. And it does indeed allow the registered users to download the firmware for free. However, the download rate is limited to 56 KBps. Which means that a download of a typical firmware ROM of ~700 MB would take at least an infuriating wait of 4 hours. Furthermore, as a number of app reviewers have indicated, — the download is also almost doomed to timeout and fail, hence “motivating” the user to pay for “Fast downloads through paid premium packages”. During our tests, we too have observed that the downloads don’t finish, even when using a reliable network.

Last but not least, the app claims to offer SIM card unlocking for any network operator, starting at $19.99. Also not via GooglePlay subscription.

Although not malicious in the traditional meaning of that term “Updates for Samsung” does not seem to offer users much of value besides a lighter wallet and as such highlights the risks of ignoring the fine print. We recommend users to follow Samsung’s designed procedure for downloading firmware updates. That is, by opening the “Settings” application on your Android device and navigating to the “About phone” -> “Software Update” menu. These updates are guaranteed to come directly from the vendor and are free of charge.


IOC

Package name: samsungupdate.com

GooglePlay app URL: https://play.google.com/store/apps/details?id=samsungupdate.com

SHA256:9c2b78a3c88ac698b6ad86c2535d1816b68c42f0eb3e6f3f70eb8c7b1c7ab2ac

The blog: updato[.]com

App permissions:

android.permission.INTERNET
android.permission.CAMERA
android.permission.ACCESS_NETWORK_STATE
android.permission.READ_PHONE_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_COARSE_LOCATION
com.android.vending.BILLING
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.ACCESS_WIFI_STATE
android.permission.BLUETOOTH
android.permission.BLUETOOTH_ADMIN
android.permission.WAKE_LOCK
com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE
com.google.android.c2dm.permission.RECEIVE
samsungupdate.com.permission.C2D_MESSAGE
android.permission.ACCESS_FINE_LOCATION
com.google.android.gms.permission.ACTIVITY_RECOGNITION

CSIS TechBlog

CSIS Security Group software development and security research teams are sharing their experiences building systems to detect, monitor and take down malware infrastructure.

Alex

Written by

Alex

https://twitter.com/s_metanka

CSIS TechBlog

CSIS Security Group software development and security research teams are sharing their experiences building systems to detect, monitor and take down malware infrastructure.