Malwarebytes researchers spotted what they dubbed a “Trojan.Pornclicker” in the Google Play store disguised as a Turkish application named “Mayis Guzel Aydir.”
The app's name roughly translates, depending on the source, either to “May Beautiful Overnights” or “May is a beautiful month” and once installed and opened, it displays a full-screen eyeball that doesn't appear to do anything. However, behind the scenes the application is manually visiting adult sites for the purpose of gaining revenue on a pay-per-click basis, according to a June 2 blog post.
Even if a user removes the app after seeing the app appears useless, researchers said the damage has already been done.
“Every time the app clicks any of these websites, the bad guys get paid and you are left with some embarrassing network traffic,” researchers said in the post.
Researchers said the app didn't have a description in the Google Play store and displayed a few screenshots of a calculator app which didn't appear to have anything to do with the app's name.
Despite lacking a clear description, the application had between 1,000 – 5,000 installs and 3.2 star rating with 383 ratings given on Google Play at the time the post was written, researchers said in the post. Several other versions of the app were also spotted with the same name but with a number at the end, such as “Mayis Guzel Aydir 2.”
The malicious app is also designed to monetize the bandwidth of its victim's traffic in a direct manner through ad clicks as opposed to stealing data, Tripwire Security Researcher Craig Young told SCMagazine.com via email comments.
“Fortunately for consumers, in this case the damage is primarily caused to advertisers and advertising networks, but this type of attack can also end up costing users money by way of excessive data charges,” he said.
“Beyond the use of mobile anti-virus software, an average user would likely never know that their device is being abused in this way apart from battery drain and extra data consumption.”
The app has since been taken down but researches warned there may be others out there and experts said this is a common attack where someone creates an attack that appears useful but conducts malicious deeds in the background.
“In the traditional desktop world, the Trojan threat such as this is more difficult to contain and fix,” Engin Kirda, co-founder and chief architect at Lastline, told SCMagaine.com via emailed comments.
“In the mobile world, however, we have the advantage that once a threat like this is detected, the app would be thrown out of the play store and more infections would be prevented,” Kirda said.
He said the easiest protection is not to install any apps that have very low popularity ratings or a low number of downloads and that highly popular apps will usually not be malicious although there are expectations. He also said users should make sure they only give permission for the app to use things you think the app will need.
