Verimatrix researchers in our VMX Labs have discovered that all apps manufactured by Simi Studio that are downloadable from their website contain malware. Simi Studio’s own website as well as some APK mirrors claim that its Screen Lock mobile app has more than 5 million downloads, while its other two apps, Floating Button and Flashlight, appear to boast more than 100,000 downloads combined. 

The apps are not available on the Google app store now, but via the developer’s website and several APK mirror sites. There are indications that the apps have previously been available on the official Google app store but have been removed from the app store.    

While all major virus scanners classify these apps as “clean,” Verimatrix XTD has detected that the apps perform overlay attacks. A short analysis using Hybrid Analysis at www.hybrid-analysis.com as Licensor, as well as analysis of Joesandbox, classifies the applications as malware. 

The findings confirm that the apps conduct the following suspicious behavior:

  • The apps try to do overlay attacks on banking applications. Starting with a permission request to .BIND_ACCESSIBILITY_SERVICE, which is used by malware to initiate overlay attacks
  • The apps try to do privilege escalation, like requesting root access, trying to install new Administrators. 
  • The application tries to control WiFi and Bluetooth, which are typical signs of spreading. 
  • The application controls phone calls, video, and audio recording. 
  • The TLS fingerprinting for outgoing connections aligns with known malware connecting their C2 servers.  

The fact that malware like this can flow below the radar of classical endpoint protection systems demonstrates the strength of Verimatrix XTD in monitoring and protecting mobile apps.