Clicker trojan found in Android apps with over 100M installs

Researchers found a clicker Trojan bundled with over 33 apps distributed through the Google Play Store and downloaded by Android users over 100 million times.

The malware was designed as a malicious module added to seemingly harmless applications such as audio players, barcode scanners, dictionaries, and a host of other various types of ordinary software most people would install on their Android devices.

These apps were fully functional as Doctor Web researchers found and didn’t show any warning signs within their interface, while also not exhibiting any of the weird behavior most malicious applications display like hiding their icon after installation or requesting way too many permissions compared to the tasks they were designed to perform.

Clicker Trojans are a type of malware designed to stay active in the memory of infected devices and perform various ad fraud-related tasks in the background such as opening web pages without the victim’s knowledge.

Subscribes victims to premium services

The clicker Trojan dubbed by the researchers Android.Click.312.origin would only activate 8 hours after the apps that contained were launched to evade detection.

Subsequently, another variant was also found while analyzing this malicious campaign, which got named Android.Click.312.origin.

After launching on one of the compromised Android devices, the malware would immediately start collecting system information such as:

  • the OS version,
  • the device’s manufacturer and model,
  • the user’s country of residence,
  • the internet connection type,
  • the user’s time zone,
  • and info on the app with the clicker Trojan module

All this information and more is packed and sent to the malware’s command and control (C2) server which, in turn, will transmit back commands and new modules to be used, for instance, “to register a broadcast receiver and a content observer, which Android.Click.312.origin uses to monitor the installation and updates of applications.”

Once the user installs a new app on the infected device via the Play Store or from an APK installer, the Trojan will send info and technical data on the device and the newly installed app to its C2 server which sends back URLs to open in a browser, an invisible WebView, or in the Play Store.

“Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content,” the researchers found.

As an example, some users reported on Google’s Play Store that they were “automatically subscribed to expensive content provider services” after installing applications containing the Android.Click.312.origin clicker Trojan.

Doctor Web’s researchers found the clicker Trojan within the apps listed in the table below, which they reported to Google. The company removed several of the reported apps, while a number of them got updated and had the malicious module removed.

Package nameSHA1Minimum downloads
com.a13.gpslockc0ddd6a164905ef6f65ec06ff088a991c01687e9
com.a13softdev.qrcodereaderea3e521d80730097f2c48dd9f0432749a07b95621000000
com.aitype.android66c75e23ab7169475043cdc120206c06b261349d10000000
com.crics.cricketmazza1915eb46bd9ee2fe6748deaa0750cee83f72f8e01000000
com.dictionary.englishurdu6c1347786aef5beb0060229c043e5c2ab24f12105000000
com.finance.loan.emicalculatorb8370356b55b13824eac3f8c0129bc2a00ddaf931000000
com.fitness.stepcounter.pedometer100b7a782cf12c0d08b94b3a8425c972f44f2ddc100000
com.galaxyapps.routefinder4328b4c99dac008e6c509ac1521014faa0dadcc35000000
com.guruinfomedia.ebook.pdfviewer0a17c18c49c97cdf558a986037b0e4b0c8592442100000
com.guruinfomedia.gps.speedometer7964ec42624b91280a044024906ce71ec46cc6ea1000000
com.guruinfomedia.gps.speedometerproeca09c6331129c86e95a64a2f89dce8ad23cfea050000
com.guruinfomedia.notepad.texteditor88d1c4d118decd4360e6a8abc186965ccc05fe231000000
com.guruinfomedia.notepad.texteditor.proc5caf490f8627f510553b9336d62fd28382d22d5100000
com.impactobtl.friendstrackerfree0c7dbdb521efd7354d515e2b24c8f2c61432c4bc1000000
com.impactobtl.whodeletedme8b901532f3247bdafe84e2d315d900bfe3a91bd6500000
com.mapsnavigation.gpsroutefinder.locationtrackersfbe2ac65d1a9c2894821faaff000ea7ac1147cee1000000
com.qibla.compass.prayertimes034ba8339be985c137108f4064bff4e156817c51100000
com.qiblafinder.prayertime.hijricalendaref8a44cabd1ed8ef37c303c8fc16effb6c28fa5c1000000
com.quranmp3.readquran9b4a330a6ebe026db5fd13483c1a0a9de4571c891000000
com.quranmp3ramadan.readqurana870ba7293fc5475b499466a90d9a38a539a645c500000
com.ramdantimes.prayertimes.allahb13b296d20f360f8413b49459dc7397799e387631000000
com.ramdantimes.qibla.prayertimese74dec8b5ff7d0fa77f21f21fdb49f0e0f3722c7500000
com.sdeteam.gsa4e8112e4e3039e4a8d2479e3acae858deae0c3a11000000
com.shikh.gurbaniradio.livekirtan1c69c6cc2714496fb50818b1c46be0ca72086fad100000
com.studyapps.mathen9498a03c48b4802d1e529e42d5dc72a7e2da1593500000
com.studyapps.obshestvo4f2dfe1410b7de8f9301d5c54becfa87d7cdd276100000
com.tosi.bombujmanual8161f174eb43ee98838410e08757dd6dc348b53f500000
com.videocutter.mp3converterf9a7b22c2a8c07cf1e878dc625ea60e6344863331000000
com.vpn.powervpna7dded17f59ad889d949232ee8b5c43d667ca3511000000
liveearthcam.livewebcams.livestreetview581f505f4a83ad2ff1823dd3477c000788a77829500000
qrcode.scanner.qrmakera53bcd4a4313dee7d6fd226867a005b8549c02275000000
remove.unwanted.object22f2690b89e8c1ea0172ced211d3d57f07118bcb10000000
com.ixigo.train.ixitrain700819680439ce23945f25a20f1be97a1ff7d07450000000

The researchers provide detailed information on what information the clicker Trojan sends to its C2 servers, as well as the commands and settings it receives from its operators.

Additionally, Doctor Web’s research team also advises developers to “responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software.”

Source: BleepingComputer