Updated August 18th, 2019
Two related ad fraud malware programs, recently discovered in 34 trojanized Android applications, have already been downloaded roughly 102 million times from the Google Play store, researchers reported.
Dubbed Android.Click.312.origin and Android.Click.313.origin, the malicious clicker trojans appear to be designed primarily to sign users up for paid premium services without their consent, according to a blog post published last week researchers at Russian antivirus company Dr.Web.
The malware has been found in a wide variety of otherwise normal-looking and operable apps, including maps, QR code readers, dictionaries, fitness trackers, route finders, text editors, Muslim-centric apps and more. The blog post has republished a series of app user complaints, which are written in Cyrillic, suggesting the attackers appear to be targeting Russian-speaking users.
After its initial launch, Android.Click.312.origin and its modified variant Android.Click.313.origin waits eight hours before commencing malicious activity, in hopes of staying under the radar. Once active again, it exfiltrates a variety of user information to its command-and-control server, including device manufacturer and model, operating system version, country of residence and default system language, user-agent ID, mobile carrier, internet connection type, display parameters, time zone and data on the application that contained the trojan in the first place.
“In response, Android.Click.312.origin receives website addresses to open in an invisible WebView, as well as links to load in a browser or on Google Play,” the blog post said. “Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content.” This allows the malware to secretly sign up for premium services without the victim’s knowledge or confirmation.
Dr.Web said that Google removed “some applications” from its store after being informed of the threat; however, as of Aug. 8, “most applications still contained a malicious module and remained available for download.”