Check Point Research has uncovered two large-scale malware campaigns that have infected Android apps with more than 250 million downloads in total.
The first campaign, dubbed SimBad as many of the infected apps were simulator games, infected 210 apps found in the official Google Play Store.
These apps had been downloaded close on 150 million times before researchers found the malware and disclosed the information to Google which removed them immediately.
The second, known as Operation Sheep, only infected some 12 apps but they have so far been downloaded more than 111 million times.
These apps were not in the Google Play Store and can still be found within major Chinese third-party app stores.
SimBad operates in such a way that upon infecting the targeted device the malicious app hides its icon yet work in the background to display advertisements to generate fraudulent revenue whenever the device is in use.
In this way, not only the malware goes unnoticed but raises no suspicion.

How SamBad works (Image credit: Check Point)
According to Check Point, a large portion of the infected applications are simulator games while photo editors and wallpapers applications are also among the list. Here is a list of top 10 apps infected with SimBad malware:
- Snow Heavy Excavator Simulator (10,000,000 downloads)
- Hoverboard Racing (5,000,000 downloads)
- Real Tractor Farming Simulator (5,000,000 downloads)
- Ambulance Rescue Driving (5,000,000 downloads)
- Heavy Mountain Bus Simulator 2018 (5,000,000 downloads)
- Fire Truck Emergency Driver (5,000,000 downloads)
- Farming Tractor Real Harvest Simulator (5,000,000 downloads)
- Car Parking Challenge (5,000,000 downloads)
- Speed Boat Jet Ski Racing (5,000,000 downloads)
- Water Surfing Car Stunt (5,000,000 downloads)
The full list of malware-infected apps is available here.
The good news is that Check Point got in touch with Google and at the time of publishing this article, all malicious apps were removed from the Play Store.
However, if you have installed any of these apps make sure to remove it now and scan your device with trustworthy anti-virus software
What do these malware campaigns do?
According to the researchers, SimBad has three main capabilities: displaying adverts, phishing and exposure to other applications.
It’s adware first and foremost, used to display background ads.
However, with an ability to open any given URL within a browser the threat actors behind SimBad can easily generate spear-phishing attacks across multiple platforms to target users.
The researchers also warn that the malware allows the threat actor to open store apps such as Google Play and 9Apps with “a specific keyword search or application page” which means that they can sell this as a service to other criminals.
Finally, SimBad also enables the installation of remote apps from a designated server so as to be able to install further malware.
It appears that app developers were scammed into using a malicious ad-serving software development kit (SDK) in order to facilitate this campaign.
Aviran Hazum, analysis and response team leader at Check Point, told me that “the SDK provides monetization implementation, by using this SDK the developer can make money off of ads.”
The Operation Sheep campaign is named after a Chinese idiom that translates as taking the opportunity to pilfer a sheep.
It does just one thing but does it really well: harvesting contact information from smartphones without user consent.
It is data stealing malware pure and simple.
It is the first known campaign to exploit the Man-in-the-Disk vulnerability that Check Point discovered last year.
The infected apps, mostly utility applications, upload the entire Android device contacts list to China-based servers whenever a user opens the app or reboots their device.
“The data harvesting market is a wide one and can be worth a lot of money” Hazum says, continuing “the phone number is one of the key ID details on password recovery mechanisms in China.”
Apparently, only devices running Android Marshmallow or above are impacted by this malware; small comfort considering that’s 70% of them.
“We believe this was done as an effort to cut down development time” Hazum told me, adding “developing apps that will run on all devices will take a lot more effort from the actor’s side.”