Investigators found a Trojan clicker bundled with more than 33 apps distributed via the Google Play Store and downloaded more than 100 million times by Android users.
The malware has been created as a malicious module, adding apparently harmless applications such as audio players, bar code scanners, dictionaries and a host of other types of common software that most people install on their Android devices.
These apps function as Doctor Web researchers found and showed no warning signs within their interface while they did not show any of the weirdest behaviors of malicious applications like hiding their icon after installation or demanding too much permission compared to the tasks they were designed to perform.
Clicker trojans are a kind of malware designed to keep active in the memory of infected devices and to perform various ad-fraud-related background tasks, like opening web pages without the knowledge of the victim.
The clicker Trojan dubbed by the Android
Android.Click.312.origin researcher would only activate eight hours after the apps were launched to avoid detection.
Another variant was subsequently found during the analysis of this malicious campaign, named Android. Click.312.origin.
After launching on one of Android’s compromised devices, the malware would start collecting system information like:
- the OS version,
- the device’s manufacturer and model,
- the user’s country of residence,
- the internet connection type,
- the user’s time zone,
- and info on the app with the clicker Trojan module
All this information and more is packaged and sent to the malware control server (C2) which, for example, will send back orders and new modules to be used. “to register a broadcast receiver and a content observer, which Android.Click.312.origin uses to monitor the installation and updates of applications.”
After the user installs a new application on the infected device through the Play Store or an APK installer, the Trojan sends information and technical information on the device and the newly installed application to their C2 server which sends URL to open on the browser, an invisible WebView, or the Play Store.
“Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content,” the researchers found.
For example, some users reported on the Google Play Store that after installing apps that contained the Trojan. Click.312.origin clicker, they were “automatically subscribed to costly content service providers.”
Researchers of Dr. Web found the Trojan clicker among the apps listed below that they reported to Google. The company has removed several apps, while several of them have been updated and the malicious module deleted.
Click here for the complete list of Trojan Clicker virus
The researchers provide details of what information Trojan clickers send to their C2 servers and the commands and settings they receive from their operators.
In addition, the research team of Dr Web recommends that developers “responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software.”