Clicker trojan found in Android apps with over 100M installs
Researchers found a clicker Trojan bundled with over 33 apps distributed through the Google Play Store and downloaded by Android users over 100 million times.
The malware was designed as a malicious module added to seemingly harmless applications such as audio players, barcode scanners, dictionaries, and a host of other various types of ordinary software most people would install on their Android devices.
These apps were fully functional as Doctor Web researchers found and didn’t show any warning signs within their interface, while also not exhibiting any of the weird behavior most malicious applications display like hiding their icon after installation or requesting way too many permissions compared to the tasks they were designed to perform.
Clicker Trojans are a type of malware designed to stay active in the memory of infected devices and perform various ad fraud-related tasks in the background such as opening web pages without the victim’s knowledge.
Subscribes victims to premium services
The clicker Trojan dubbed by the researchers Android.Click.312.origin would only activate 8 hours after the apps that contained were launched to evade detection.
Subsequently, another variant was also found while analyzing this malicious campaign, which got named Android.Click.312.origin.
After launching on one of the compromised Android devices, the malware would immediately start collecting system information such as:
- the OS version,
- the device’s manufacturer and model,
- the user’s country of residence,
- the internet connection type,
- the user’s time zone,
- and info on the app with the clicker Trojan module
All this information and more is packed and sent to the malware’s command and control (C2) server which, in turn, will transmit back commands and new modules to be used, for instance, “to register a broadcast receiver and a content observer, which Android.Click.312.origin uses to monitor the installation and updates of applications.”
Once the user installs a new app on the infected device via the Play Store or from an APK installer, the Trojan will send info and technical data on the device and the newly installed app to its C2 server which sends back URLs to open in a browser, an invisible WebView, or in the Play Store.
“Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content,” the researchers found.
As an example, some users reported on Google’s Play Store that they were “automatically subscribed to expensive content provider services” after installing applications containing the Android.Click.312.origin clicker Trojan.
Doctor Web’s researchers found the clicker Trojan within the apps listed in the table below, which they reported to Google. The company removed several of the reported apps, while a number of them got updated and had the malicious module removed.
| Package name | SHA1 | Minimum downloads |
| com.a13.gpslock | c0ddd6a164905ef6f65ec06ff088a991c01687e9 | |
| com.a13softdev.qrcodereader | ea3e521d80730097f2c48dd9f0432749a07b9562 | 1000000 |
| com.aitype.android | 66c75e23ab7169475043cdc120206c06b261349d | 10000000 |
| com.crics.cricketmazza | 1915eb46bd9ee2fe6748deaa0750cee83f72f8e0 | 1000000 |
| com.dictionary.englishurdu | 6c1347786aef5beb0060229c043e5c2ab24f1210 | 5000000 |
| com.finance.loan.emicalculator | b8370356b55b13824eac3f8c0129bc2a00ddaf93 | 1000000 |
| com.fitness.stepcounter.pedometer | 100b7a782cf12c0d08b94b3a8425c972f44f2ddc | 100000 |
| com.galaxyapps.routefinder | 4328b4c99dac008e6c509ac1521014faa0dadcc3 | 5000000 |
| com.guruinfomedia.ebook.pdfviewer | 0a17c18c49c97cdf558a986037b0e4b0c8592442 | 100000 |
| com.guruinfomedia.gps.speedometer | 7964ec42624b91280a044024906ce71ec46cc6ea | 1000000 |
| com.guruinfomedia.gps.speedometerpro | eca09c6331129c86e95a64a2f89dce8ad23cfea0 | 50000 |
| com.guruinfomedia.notepad.texteditor | 88d1c4d118decd4360e6a8abc186965ccc05fe23 | 1000000 |
| com.guruinfomedia.notepad.texteditor.pro | c5caf490f8627f510553b9336d62fd28382d22d5 | 100000 |
| com.impactobtl.friendstrackerfree | 0c7dbdb521efd7354d515e2b24c8f2c61432c4bc | 1000000 |
| com.impactobtl.whodeletedme | 8b901532f3247bdafe84e2d315d900bfe3a91bd6 | 500000 |
| com.mapsnavigation.gpsroutefinder.locationtrackers | fbe2ac65d1a9c2894821faaff000ea7ac1147cee | 1000000 |
| com.qibla.compass.prayertimes | 034ba8339be985c137108f4064bff4e156817c51 | 100000 |
| com.qiblafinder.prayertime.hijricalendar | ef8a44cabd1ed8ef37c303c8fc16effb6c28fa5c | 1000000 |
| com.quranmp3.readquran | 9b4a330a6ebe026db5fd13483c1a0a9de4571c89 | 1000000 |
| com.quranmp3ramadan.readquran | a870ba7293fc5475b499466a90d9a38a539a645c | 500000 |
| com.ramdantimes.prayertimes.allah | b13b296d20f360f8413b49459dc7397799e38763 | 1000000 |
| com.ramdantimes.qibla.prayertimes | e74dec8b5ff7d0fa77f21f21fdb49f0e0f3722c7 | 500000 |
| com.sdeteam.gsa | 4e8112e4e3039e4a8d2479e3acae858deae0c3a1 | 1000000 |
| com.shikh.gurbaniradio.livekirtan | 1c69c6cc2714496fb50818b1c46be0ca72086fad | 100000 |
| com.studyapps.mathen | 9498a03c48b4802d1e529e42d5dc72a7e2da1593 | 500000 |
| com.studyapps.obshestvo | 4f2dfe1410b7de8f9301d5c54becfa87d7cdd276 | 100000 |
| com.tosi.bombujmanual | 8161f174eb43ee98838410e08757dd6dc348b53f | 500000 |
| com.videocutter.mp3converter | f9a7b22c2a8c07cf1e878dc625ea60e634486333 | 1000000 |
| com.vpn.powervpn | a7dded17f59ad889d949232ee8b5c43d667ca351 | 1000000 |
| liveearthcam.livewebcams.livestreetview | 581f505f4a83ad2ff1823dd3477c000788a77829 | 500000 |
| qrcode.scanner.qrmaker | a53bcd4a4313dee7d6fd226867a005b8549c0227 | 5000000 |
| remove.unwanted.object | 22f2690b89e8c1ea0172ced211d3d57f07118bcb | 10000000 |
| com.ixigo.train.ixitrain | 700819680439ce23945f25a20f1be97a1ff7d074 | 50000000 |
The researchers provide detailed information on what information the clicker Trojan sends to its C2 servers, as well as the commands and settings it receives from its operators.
Additionally, Doctor Web’s research team also advises developers to “responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software.”
Source: BleepingComputer
