Malicious Clicker apps in Google Play have 20M+ installs

Researchers discovered 16 malicious clicker apps in the official Google Play store that were downloaded by 20M+ users.

Security researchers at McAfee have discovered 16 malicious clicker apps available in the official Google Play store that were installed more than 20 million times. One of these apps, called DxClean, has more than five million times and its user rating was of 4.1 out of 5 stars.

Clicker apps are adware software that loads ads in invisible frames or in the background and clicks them to generate revenue for the threat actors behind the campaign.

“Recently the McAfee Mobile Research Team has identified new Clicker malware that sneaked into Google Play. In total 16 applications that were previously on Google Play have been confirmed to have the malicious payload with an assumed 20 million installations.” reads the report published by McAfee.

Threat actors have concealed the malicious code in useful utility applications like Flashlight (Torch), QR readers, Camara, Unit converters, and Task managers.

Upon executing the clicker apps, they will downloads the configuration from a remote server and register the FCM listener to receive the push messages.

“Once the application is opened, it downloads its remote configuration by executing an HTTP request. After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. At first glance, it seems like well-made android software. However, it is hiding ad fraud features behind, armed with remote configuration and FCM techniques.” continues the report.

The FCM message includes multiple information, such as the functions to call and the parameters to pass them.

When the app receives an FCM message that meets some condition, the associated function starts in the background. Usually the functions instruct the device to visit websites in the background while mimicking user’s behavior. This may cause heavy network traffic and consume power while generating profit for the attackers by clicking on ads without users’ knowledge.

The experts identified two pieces of code in these clicker apps, one is “com.click.cas” library which is usedto automate clicking functionality, the second one is “com.liveposting” library that’s acts as an agent and runs hidden adware services.

All 16 Clicker apps reported by McAfee experts have been removed from Google Play, the security firm also shared

“Clicker malware targets illicit advertising revenue and can disrupt the mobile advertising ecosystem.” concludes the report Malicious behavior is cleverly hidden from detection.” concludes the report.

“we recommend having a security software installed and activated so you will be notified of any mobile threats present on your device in a timely manner. Once you remove this and other malicious applications, you can expect an extended battery time and you will notice reduced mobile data usage while ensuring that your sensitive and personal data is protected from this and other types of threats.””

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, clicker apps)

[adrotate banner=”5″]

[adrotate banner=”13″]