Quite recently, our Android app has started crashing due to a NullPointerException
in a package called com.walkfreestub
. Currently there are absolutely no references to this online (we've tried all sorts of other searches related to the crash). Any information about this package or possible causes would be wonderful. Our best guess is that someone has decompiled our APK and modified the original code, in order to re-release it in an unofficial app store.
Notably, this happens most often in India and Nigeria, and frequently on the Xiaomi 2014818 device (but that might just be a common device in those countries). Versions are mostly Android 4.2 and 4.4, but also a few crashes on 5.1 and others.
Update:
There are now several forums online where users are complaining of malware related to com.walkfree
and com.walkfreestub
. See links here, here, and here. This unfortunately confirms our hypothesis that the APK has indeed been modified with malware in an unofficial app store.
Full stack trace:
java.lang.NullPointerException: replacement == null
at java.lang.String.replace(String.java:1348)
at com.walkfreestub.trace.ReferrerTrack.checkTrackUrl(ReferrerTrack.java:158)
at com.walkfreestub.internal.PushServiceProxy.startDownloadApp(PushServiceProxy.java:454)
at com.walkfreestub.internal.PushServiceProxy.notifyToDownload(PushServiceProxy.java:239)
at com.walkfreestub.internal.PushServiceProxy.notifyMessage(PushServiceProxy.java:274)
at com.walkfreestub.internal.PushServiceProxy.onMessageLoaded(PushServiceProxy.java:342)
at com.walkfreestub.internal.push.WalkPushRequest$6.onResponse(WalkPushRequest.java:375)
at com.walkfreestub.internal.push.WalkPushRequest$6.onResponse(WalkPushRequest.java:1)
at com.walkfreestub.volley.toolbox.StringRequest.deliverResponse(StringRequest.java:60)
at com.walkfreestub.volley.toolbox.StringRequest.deliverResponse(StringRequest.java:1)
at com.walkfreestub.volley.ExecutorDelivery$ResponseDeliveryRunnable.run(ExecutorDelivery.java:99)
at android.os.Handler.handleCallback(Handler.java:730)
at android.os.Handler.dispatchMessage(Handler.java:92)
at android.os.Looper.loop(Looper.java:137)
at android.app.ActivityThread.main(ActivityThread.java:5136)
at java.lang.reflect.Method.invokeNative(Native Method)
at java.lang.reflect.Method.invoke(Method.java:525)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:740)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:556)
at dalvik.system.NativeStart.main(Native Method)
Packages such as com.walkfree
and com.walkfreestub
appear to come from a trojan injected into decompiled APKs, distributed through unofficial app stores. The trojan appears to download more unwanted apps in the background, and likely performs other dubious activities. If you come across one of these malicious APKs, please submit it to anti-virus sites such as Malwarebytes!
See similar posts here, here, and here for more information.