Almost two dozen apps with over 2 million downloads were removed from the Google Play market after researchers found that they contained a device-draining backdoor that enabled them to download files from an attacker-controlled server.
By the end of November, Google will remove them from the Play store. The apps come from various small developers and Sophos said that in late November Google removed them from its Play store. Even the Flashlight apps had been downloaded more than a million time and have strong reviews, according to Sophos.
Its called clickfraud
The apps worked by reporting to an attacker-controlled domain, mobbt.com, where the infected phones downloaded ad fraud modules every 80 seconds and received specific commands. The modules have caused the phones to click on a large number of links containing fraudulent applications. The apps displayed the ads in a window that was zero pixels high and zero wide to prevent users from suspecting that their phones are infected.
In all, Sophos observed server data that resulted in fraudulent clicks from Apple models ranging from iPhone 5 to 8 Plus and 249 different forged models. The user-agent false data probably served many purposes.
- The iPhone labels may have allowed scammers to get higher prices, as some advertisers pay premiums when their advertisements are viewed by iPhones.
- The false labeling gave the impression that a much larger number of devices clicked on the ads.
Come to the conclusion that Sophos researcher Chen Yu wrote:
Andr/Clickr-ad is a well-organized, persistent malware that has the potential to cause serious harm to end users, as well as the entire Android ecosystem. These apps generate fraudulent requests that cost ad networks significant revenue as a result of the fake clicks.
From the user’s perspective, these apps drain their phone’s battery and may cause data overages as the apps are constantly running and communicating with servers in the background. Furthermore, the devices are fully controlled by the C2 server and can potentially install any malicious modules upon the instructions of the server.
Android users should check the list below and ensure that no battery draining apps are running:
|com.takatrip.android||Tak A Trip||0bcd55faae22deb60dd8bd78257f724bd1f2fc89|