March 3, 2017

Advertising modules incorporated into Android applications for monetization purposes have become widespread. Many of these plug-ins operate aggressively: they create unnecessary icons and display banners and pop-up windows. Doctor Web specialists found a program on Google Play that contains one of these modules. More than 50,000,000 users have installed it.

Doctor Web specialists examined an on-screen keyboard app called TouchPal. Mobile device owners can use it instead of the standard one. It does indeed work as stated but contains an unwanted advertising module. In keeping with the Dr.Web classification system, the module was named Adware.Cootek.1.origin.

This plug-in displays several types of ads. For example, on the home screen it creates widgets that can’t be deleted until the device owner clicks on them. When the widget is clicked on, Adware.Cootek.1.origin displays an interactive window with a short game that the user always wins, with an ad being their “prize”. Besides the “game”, the module can display a window with news accompanied by banners.

In addition, Adware.Cootek.1.origin embeds advertising in the lock screen and displays banners right after a mobile device is unlocked.

Despite the fact that TouchPal itself is not a malicious program, the unwanted module within it— Adware.Cootek.1.origin —actually makes the mobile device difficult to use due to the constant stream of pop-up notifications and unremovable widgets. Given the fact that this plug-in is embedded directly into the TouchPal software, users can only remove it by deleting the main application. The signature of Adware.Cootek.1.origin has been added to the virus database, so Dr.Web for Android successfully detects it in all programs.

More information regarding Adware.Cootek.1.origin