Quite recently, our Android app has started crashing due to a NullPointerException
in a package called com.walkfreestub
. Currently there are absolutely no references to this online (we've tried all sorts of other searches related to the crash). Any information about this package or possible causes would be wonderful. Our best guess is that someone has decompiled our APK and modified the original code, in order to re-release it in an unofficial app store.
Notably, this happens most often in India and Nigeria, and frequently on the Xiaomi 2014818 device (but that might just be a common device in those countries). Versions are mostly Android 4.2 and 4.4, but also a few crashes on 5.1 and others.
Update:
There are now several forums online where users are complaining of malware related to com.walkfree
and com.walkfreestub
. See links here, here, and here. This unfortunately confirms our hypothesis that the APK has indeed been modified with malware in an unofficial app store.
Full stack trace:
java.lang.NullPointerException: replacement == null
at java.lang.String.replace(String.java:1348)
at com.walkfreestub.trace.ReferrerTrack.checkTrackUrl(ReferrerTrack.java:158)
at com.walkfreestub.internal.PushServiceProxy.startDownloadApp(PushServiceProxy.java:454)
at com.walkfreestub.internal.PushServiceProxy.notifyToDownload(PushServiceProxy.java:239)
at com.walkfreestub.internal.PushServiceProxy.notifyMessage(PushServiceProxy.java:274)
at com.walkfreestub.internal.PushServiceProxy.onMessageLoaded(PushServiceProxy.java:342)
at com.walkfreestub.internal.push.WalkPushRequest$6.onResponse(WalkPushRequest.java:375)
at com.walkfreestub.internal.push.WalkPushRequest$6.onResponse(WalkPushRequest.java:1)
at com.walkfreestub.volley.toolbox.StringRequest.deliverResponse(StringRequest.java:60)
at com.walkfreestub.volley.toolbox.StringRequest.deliverResponse(StringRequest.java:1)
at com.walkfreestub.volley.ExecutorDelivery$ResponseDeliveryRunnable.run(ExecutorDelivery.java:99)
at android.os.Handler.handleCallback(Handler.java:730)
at android.os.Handler.dispatchMessage(Handler.java:92)
at android.os.Looper.loop(Looper.java:137)
at android.app.ActivityThread.main(ActivityThread.java:5136)
at java.lang.reflect.Method.invokeNative(Native Method)
at java.lang.reflect.Method.invoke(Method.java:525)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:740)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:556)
at dalvik.system.NativeStart.main(Native Method)
Packages such as com.walkfree
and com.walkfreestub
appear to come from a trojan injected into decompiled APKs, distributed through unofficial app stores. The trojan appears to download more unwanted apps in the background, and likely performs other dubious activities. If you come across one of these malicious APKs, please submit it to anti-virus sites such as Malwarebytes!
See similar posts here, here, and here for more information.
I would suggest to detect com.walkfreestub.* classes using reflection and notify your user. Most likely, this injections is implemented with automated script so they wouldn't search manually for your detection code.
I mean something like described here checking whether a package is existent or not
You check that com.walkfreestub.* is present in classpath and notify user that application was compromised by malware and users should be aware of it.
Alternatively, you may try to check APK signature.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With