Google Play clicker Trojan installed over 100 million times

Doctor Web analysts have revealed yet another trojan in the Google Play application directory. The threat received the identifier Android.Click.312.origin and is a classic clicker, so it is used to increase website visits and monetize online traffic.

Malware was built into the most common at first glance applications (the list can be seen at the end of the article): dictionaries, online maps, audio players, barcode scanners, and so on.

All these programs worked exactly as stated in the description, and for the owners of Android-devices looked completely harmless. In addition, the trojan started malicious activity only 8 hours after the first launch of the application, so as not to arouse suspicion among its victims.

Once started, the trojan sends the following information about the infected device to the management server:

  1. manufacturer and model;
  2. OS version;
  3. country of residence of the user and the default language of the system;
  4. User-Agent identifier;
  5. name of the mobile operator;
  6. type of internet connection;
  7. screen settings;
  8. time zone;
  9. information about the application in which the trojan is built.

In response, the server sends the necessary settings to the malware. Some functions of the malicious application are implemented using reflection, and these settings contain the names of methods and classes along with parameters for them.

These parameters are used, for example, to register the receiver of broadcast messages and the content observer, with the help of which the malware monitors the installation and updating of programs.

After installing a new application or downloading an APK-file by the Play Market client, the Trojan transfers information about this program to the management server along with some technical data about the device. In response, he receives addresses of sites that he opens in an invisible WebView, as well as links that he loads in a browser or Google Play directory.

Read also: For protection against hackers’ attacks, VBScript in Windows 7 and 8 will be disabled

Thus, depending on the settings of the control server and the instructions received from it, the Trojan can not only advertise applications on Google Play, but also quietly download any sites, including those with advertising (including video) or any other content. For example, after installing applications that included the Trojan, users complained about automatic subscriptions to expensive content provider services.

Specialists were not able to recreate the conditions for downloading such sites, but the potential implementation of this fraudulent scheme can be quite simple. Since the trojan informs the managing server about the type of current Internet connection, if there is a connection through the mobile operator’s network, the server can send a command to open the site of one of the partner services that support WAP-Click technology.

“The Trojan receives tasks that contain links. At the command of the Android.Click.312.origin server, it can follow these links, opening them in an invisible WebView. In addition, it is able to download websites in a browser, as well as open a link in the Google Play directory”, – report Doctor Web experts.

This technology simplifies connection to various premium services and is often used to illegally subscribe users to premium services. In some cases, user’s confirmation is not required to connect to such a service — a script placed on the same page can do this for him. He “clicks” on the confirmation button instead of the victim. Since the malware will open the page of the site in an invisible WebView, the whole procedure will pass without the awareness and participation of the user.

Read also: Participants of hacking forums majorly discuss ransomware

In total, Doctor Web experts identified 34 applications in which the malware was built; over 51.7 million users installed them. In addition, at least 50,000,000 people downloaded a modification of the same Trojan, named Android.Click.313.origin. Thus, the total number of mobile device owners threatened by this Trojan exceeded 101.7 million. The following is a list of applications in which the clicker was found:

  1. GPS Fix
  2. QR Code Reader
  3. ai.type Free Emoji Keyboard
  4. Cricket Mazza Live Line
  5. English Urdu Dictionary Offline – Learn English
  6. EMI Calculator – Loan & Finance Planner
  7. Pedometer Step Counter – Fitness Tracker
  8. Route Finder
  9. PDF Viewer – EBook Reader
  10. GPS Speedometer
  11. GPS Speedometer PRO
  12. Notepad – Text Editor
  13. Notepad – Text Editor PRO
  14. Who unfriended me?
  15. Who deleted me?
  16. GPS Route Finder & Transit: Maps Navigation Live
  17. Muslim Prayer Times & Qibla Compass
  18. Qibla Compass – Prayer Times, Quran, Kalma, Azan
  19. Full Quran MP3 – 50+ Audio Translation & Languages
  20. Al Quran Mp3 – 50 Reciters & Translation Audio
  21. Prayer Times: Azan, Quran, Qibla Compass
  22. Ramadan Times: Muslim Prayers, Duas, Azan & Qibla
  23. OK Google Voice Commands (Guide)
  24. Sikh World – Nitnem & Live Gurbani Radio
  25. 1300 Math Formulas Mega Pack
  26. Social Studies – School Course. USE and BSE.
  27. Bombuj – Filmy a seriály zadarmo
  28. Video to MP3 Converter, RINGTONE Maker, MP3 Cutter
  29. Power VPN Free VPN
  30. Earth Live Cam – Public Webcams Online
  31. QR & Barcode Scanner
  32. Remove Object from Photo – Unwanted Object Remover
  33. Cover art IRCTC Train PNR Status, NTES Rail Running Status

Experts have already notified Google engineers about the Trojan, after it some of the infected applications were quickly removed from Google Play. In addition, updates have been released for several applications in which the Trojan component is already missing. However, at the time of the publication of the threat report, most applications still contained a malicious module and remained available for download through the official directory.

Curing recommendations

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
  • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
  • Once you have activated safe mode, install the Dr.Web for Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
  • Switch off your device and turn it on as normal.
User Review
3 (3 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button