Google Play clicker Trojan installed over 100 million times

Doctor Web analysts have revealed yet another trojan in the Google Play application directory. The threat received the identifier Android.Click.312.origin and is a classic clicker, so it is used to increase website visits and monetize online traffic.

All these programs worked exactly as stated in the description, and for the owners of Android-devices looked completely harmless. In addition, the trojan started malicious activity only 8 hours after the first launch of the application, so as not to arouse suspicion among its victims.

Once started, the trojan sends the following information about the infected device to the management server:

1. manufacturer and model;
2. OS version;
3. country of residence of the user and the default language of the system;
4. User-Agent identifier;
5. name of the mobile operator;
6. type of internet connection;
7. screen settings;
8. time zone;
9. information about the application in which the trojan is built.

In response, the server sends the necessary settings to the malware. Some functions of the malicious application are implemented using reflection, and these settings contain the names of methods and classes along with parameters for them.

These parameters are used, for example, to register the receiver of broadcast messages and the content observer, with the help of which the malware monitors the installation and updating of programs.

After installing a new application or downloading an APK-file by the Play Market client, the Trojan transfers information about this program to the management server along with some technical data about the device. In response, he receives addresses of sites that he opens in an invisible WebView, as well as links that he loads in a browser or Google Play directory.

Read also: For protection against hackers’ attacks, VBScript in Windows 7 and 8 will be disabled

Thus, depending on the settings of the control server and the instructions received from it, the Trojan can not only advertise applications on Google Play, but also quietly download any sites, including those with advertising (including video) or any other content. For example, after installing applications that included the Trojan, users complained about automatic subscriptions to expensive content provider services.

Specialists were not able to recreate the conditions for downloading such sites, but the potential implementation of this fraudulent scheme can be quite simple. Since the trojan informs the managing server about the type of current Internet connection, if there is a connection through the mobile operator’s network, the server can send a command to open the site of one of the partner services that support WAP-Click technology.

“The Trojan receives tasks that contain links. At the command of the Android.Click.312.origin server, it can follow these links, opening them in an invisible WebView. In addition, it is able to download websites in a browser, as well as open a link in the Google Play directory”, – report Doctor Web experts.

This technology simplifies connection to various premium services and is often used to illegally subscribe users to premium services. In some cases, user’s confirmation is not required to connect to such a service — a script placed on the same page can do this for him. He “clicks” on the confirmation button instead of the victim. Since the malware will open the page of the site in an invisible WebView, the whole procedure will pass without the awareness and participation of the user.

Read also: Participants of hacking forums majorly discuss ransomware

In total, Doctor Web experts identified 34 applications in which the malware was built; over 51.7 million users installed them. In addition, at least 50,000,000 people downloaded a modification of the same Trojan, named Android.Click.313.origin. Thus, the total number of mobile device owners threatened by this Trojan exceeded 101.7 million. The following is a list of applications in which the clicker was found:

1. GPS Fix
2. QR Code Reader
3. ai.type Free Emoji Keyboard
4. Cricket Mazza Live Line
5. English Urdu Dictionary Offline – Learn English
6. EMI Calculator – Loan & Finance Planner
7. Pedometer Step Counter – Fitness Tracker
8. Route Finder
9. PDF Viewer – EBook Reader
10. GPS Speedometer
11. GPS Speedometer PRO
12. Notepad – Text Editor
13. Notepad – Text Editor PRO
14. Who unfriended me?
15. Who deleted me?
16. GPS Route Finder & Transit: Maps Navigation Live
17. Muslim Prayer Times & Qibla Compass
18. Qibla Compass – Prayer Times, Quran, Kalma, Azan
19. Full Quran MP3 – 50+ Audio Translation & Languages
20. Al Quran Mp3 – 50 Reciters & Translation Audio
21. Prayer Times: Azan, Quran, Qibla Compass
22. Ramadan Times: Muslim Prayers, Duas, Azan & Qibla
23. OK Google Voice Commands (Guide)
24. Sikh World – Nitnem & Live Gurbani Radio
25. 1300 Math Formulas Mega Pack
26. Social Studies – School Course. USE and BSE.
27. Bombuj – Filmy a seriály zadarmo
28. Video to MP3 Converter, RINGTONE Maker, MP3 Cutter
29. Power VPN Free VPN
30. Earth Live Cam – Public Webcams Online
31. QR & Barcode Scanner
32. Remove Object from Photo – Unwanted Object Remover
33. Cover art IRCTC Train PNR Status, NTES Rail Running Status

Experts have already notified Google engineers about the Trojan, after it some of the infected applications were quickly removed from Google Play. In addition, updates have been released for several applications in which the Trojan component is already missing. However, at the time of the publication of the threat report, most applications still contained a malicious module and remained available for download through the official directory.