A malicious “clicker trojan” has been detected and reported by security researchers, who have warned that the malware has now been bundled with 34 different Google Play apps and installed more than 100 million times. The Android.Click.312.origin trojan, as well as its modified Android.Click.313.origin variant, is just the latest in a procession of malware to come to light in recent weeks, designed to generate fraudulent click-through and subscription revenue for its developers.
In their disclosure, the security researchers at Doctor Web reported that the malware has been built into “ordinary applications, such as dictionaries, online maps, audio players, barcode scanners, and other software,” all of which appear to function normally and are designed to prevent any user suspicions being aroused. Worse, the malware “only starts its malicious activity eight hours after launch,” making it even less likely that a victim will suspect the app is harmful and working fraudulently in the background.
This theme of developing or supply-chain compromising genuine apps that feel and work as users would expect, while peddling harm in the background, is an increasing trend. A list of the infected apps found so far can be found here.
Doctor Web’s researchers reported that applications with Android.Click.312.origin embedded “were installed by over 51.7 million users,” while “at least 50 million people” installed apps hiding Android.Click.313.origin.” “Thus,” they say, “the total number of mobile device owners threatened by this trojan, exceeded 101.7 million.”
When the malware does start to ply its trade, it first sends a range of device and user information to its command and control server—information relating to the device identifier and location and the mobile carrier. This enables the C&C server to return settings for the malware to use in framing its attack—including apps being used on the device. The malware can also direct traffic to fraudulent premium subscription services, and the researchers reported some users being “automatically subscribed to expensive content provider services” by the trojan.
Android malware stories are coming weekly now, and last month alone tens of millions of fraudulent apps were downloaded from the Play Store. Most of those fraudulent downloads were ad-fraud, with the most dangerous intended to promote fraudulent subscriptions.
Google is continually improving its defences against the abuse of its platform, but developers of such malware are working just as hard to keep a few steps ahead. Google Play Protect is designed to guard against app vulnerabilities and, in 2018, Google “detected and removed malicious developers faster, and stopped more malicious apps from entering the Google Play Store than ever before. The number of rejected app submissions increased by more than 55%, and we increased app suspensions by more than 66%.”
But malware-laced apps and nuisance scam apps are not being caught by the measures in place. And that puts the onus on users to take care. As I’ve said before, “there’s no substitute for common sense and treating apps from unknown sources as potential threats.”
Also, again just in the last week, we have seen Facebook take legal action against developers for ad-fraud apps downloaded from Google Play and even a warning from Google itself than tens of millions of Android devices are being bought new with dangerous malware factory-installed.
The victims here are the users with infected devices as well as the organizations paying for ghost ads and click-throughs. And the problem is undoubtedly getting worse, the malware more sophisticated and prevalent. While the usual warnings still apply to users, the bigger message now is to the industry of developers and to the app platforms to improve efforts to keep the ecosystem safer than it is at the moment. Supply chains are being successfully compromised, and users are being put in a position where they don’t know who to trust. That is seriously damaging for the industry as a whole.
In this instance, a number of the infected apps reported by Doctor Web have been removed from the Play Store, while others have been cleansed of their malicious code. Another battle won, but the war is arguably being lost.