Google Play clicker Trojan installed over 100 million times
Doctor Web analysts have revealed yet another trojan in the Google Play application directory. The threat received the identifier Android.Click.312.origin and is a classic clicker, so it is used to increase website visits and monetize online traffic.Malware was built into the most common at first glance applications (the list can be seen at the end of the article): dictionaries, online maps, audio players, barcode scanners, and so on.
All these programs worked exactly as stated in the description, and for the owners of Android-devices looked completely harmless. In addition, the trojan started malicious activity only 8 hours after the first launch of the application, so as not to arouse suspicion among its victims.
Once started, the trojan sends the following information about the infected device to the management server:
- manufacturer and model;
- OS version;
- country of residence of the user and the default language of the system;
- User-Agent identifier;
- name of the mobile operator;
- type of internet connection;
- screen settings;
- time zone;
- information about the application in which the trojan is built.
In response, the server sends the necessary settings to the malware. Some functions of the malicious application are implemented using reflection, and these settings contain the names of methods and classes along with parameters for them.
These parameters are used, for example, to register the receiver of broadcast messages and the content observer, with the help of which the malware monitors the installation and updating of programs.
After installing a new application or downloading an APK-file by the Play Market client, the Trojan transfers information about this program to the management server along with some technical data about the device. In response, he receives addresses of sites that he opens in an invisible WebView, as well as links that he loads in a browser or Google Play directory.
Read also: For protection against hackers’ attacks, VBScript in Windows 7 and 8 will be disabled
Thus, depending on the settings of the control server and the instructions received from it, the Trojan can not only advertise applications on Google Play, but also quietly download any sites, including those with advertising (including video) or any other content. For example, after installing applications that included the Trojan, users complained about automatic subscriptions to expensive content provider services.
Specialists were not able to recreate the conditions for downloading such sites, but the potential implementation of this fraudulent scheme can be quite simple. Since the trojan informs the managing server about the type of current Internet connection, if there is a connection through the mobile operator’s network, the server can send a command to open the site of one of the partner services that support WAP-Click technology.
“The Trojan receives tasks that contain links. At the command of the Android.Click.312.origin server, it can follow these links, opening them in an invisible WebView. In addition, it is able to download websites in a browser, as well as open a link in the Google Play directory”, – report Doctor Web experts.
This technology simplifies connection to various premium services and is often used to illegally subscribe users to premium services. In some cases, user’s confirmation is not required to connect to such a service — a script placed on the same page can do this for him. He “clicks” on the confirmation button instead of the victim. Since the malware will open the page of the site in an invisible WebView, the whole procedure will pass without the awareness and participation of the user.
Read also: Participants of hacking forums majorly discuss ransomware
In total, Doctor Web experts identified 34 applications in which the malware was built; over 51.7 million users installed them. In addition, at least 50,000,000 people downloaded a modification of the same Trojan, named Android.Click.313.origin. Thus, the total number of mobile device owners threatened by this Trojan exceeded 101.7 million. The following is a list of applications in which the clicker was found:
- GPS Fix
- QR Code Reader
- ai.type Free Emoji Keyboard
- Cricket Mazza Live Line
- English Urdu Dictionary Offline – Learn English
- EMI Calculator – Loan & Finance Planner
- Pedometer Step Counter – Fitness Tracker
- Route Finder
- PDF Viewer – EBook Reader
- GPS Speedometer
- GPS Speedometer PRO
- Notepad – Text Editor
- Notepad – Text Editor PRO
- Who unfriended me?
- Who deleted me?
- GPS Route Finder & Transit: Maps Navigation Live
- Muslim Prayer Times & Qibla Compass
- Qibla Compass – Prayer Times, Quran, Kalma, Azan
- Full Quran MP3 – 50+ Audio Translation & Languages
- Al Quran Mp3 – 50 Reciters & Translation Audio
- Prayer Times: Azan, Quran, Qibla Compass
- Ramadan Times: Muslim Prayers, Duas, Azan & Qibla
- OK Google Voice Commands (Guide)
- Sikh World – Nitnem & Live Gurbani Radio
- 1300 Math Formulas Mega Pack
- Social Studies – School Course. USE and BSE.
- Bombuj – Filmy a seriály zadarmo
- Video to MP3 Converter, RINGTONE Maker, MP3 Cutter
- Power VPN Free VPN
- Earth Live Cam – Public Webcams Online
- QR & Barcode Scanner
- Remove Object from Photo – Unwanted Object Remover
- Cover art IRCTC Train PNR Status, NTES Rail Running Status
Experts have already notified Google engineers about the Trojan, after it some of the infected applications were quickly removed from Google Play. In addition, updates have been released for several applications in which the Trojan component is already missing. However, at the time of the publication of the threat report, most applications still contained a malicious module and remained available for download through the official directory.
- If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
- If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
- Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
- Once you have activated safe mode, install the Dr.Web for Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
- Switch off your device and turn it on as normal.