Friday, February 14, 2025
HomeAdwareNew Clicker Trojan Found Installed in 100 Million Android Users Device From...

New Clicker Trojan Found Installed in 100 Million Android Users Device From Google Play Store

Published on

SIEM as a Service

Follow Us on Google News

A malicious module called Clicker Trojan installed on nearly 100 million Android phones via Google play store apps such as audio players, barcode scanners, and other software.

Threat actors intended to add this malicious clicker trojan to increase website visit rates by simulating the user actions to clicking on links to earn money on online traffic.

All the malicious programs act as legitimate apps to steal a variety of sensitive data and report to the Command & Control server from infected devices. It collecting the following information.

  • manufacturer and model;
  • operating system version;
  • user’s country of residence and default system language;
  • User-Agent ID;
  • mobile carrier;
  • internet connection type;
  • display parameters;
  • time zone;
  • data on an application containing a trojan.

A Clicker Trojan dubbed Android.Click.312.origin planted in 33 application and hiding the icon after the installation process and requesting too many permission from the victim’s phone.

Clicker Trojan Automatically Subscribe the Paid Services

These applications were developed for not only advertised from Google Play store but its also distributing via websites and the trojan built-in applications to automatically subscribed to expensive content provider services.

Some of the users are frequently reporting in PlayStore that they are charged for some unwanted subscription without their knowledge.

First user comment: “After installation, it subscribes you to paid services! Be careful, do not install this application!!!”

Developer response: “What services? You’re wrong.”

Second user: “After installation, I was subscribed to 5 services and now my phone account is empty.”

User comment: “The moment you log in, it deducts 50 rubles. I don’t know what it is for, please explain.”

User comment: “The moment you log in, it deducts 50 rubles. I don’t know what it is for, please explain.”

According to Dr, Web research, “Since the trojan informs the command and control server about the current Internet connection type, the server can send a command to open a website of a partner service that supports the WAP-Click technology if the device is connected to the Internet via a mobile carrier”

Malicious apps misuse the WAP-Click, a technology that simplifies the subscription to various premium services without letting users know and there is no permission required to subscribe to the unwanted services.

There are nearly 34 apps were uncovered that installed in 51.7 million users device and additionally, a modified version of dubbed Android.Click.313.origin, was downloaded by at least 50 million Android users.

Package nameSHA1Minimal number of downloads
com.a13.gpslockc0ddd6a164905ef6f65ec06ff088a991c01687e950,000
com.a13softdev.qrcodereaderea3e521d80730097f2c48dd9f0432749a07b95621,000,000
com.aitype.android66c75e23ab7169475043cdc120206c06b261349d10,000,000
com.crics.cricketmazza1915eb46bd9ee2fe6748deaa0750cee83f72f8e01,000,000
com.dictionary.englishurdu6c1347786aef5beb0060229c043e5c2ab24f12105,000,000
com.finance.loan.emicalculatorb8370356b55b13824eac3f8c0129bc2a00ddaf931,000,000
com.fitness.stepcounter.pedometer100b7a782cf12c0d08b94b3a8425c972f44f2ddc100,000
com.galaxyapps.routefinder4328b4c99dac008e6c509ac1521014faa0dadcc35,000,000
com.guruinfomedia.ebook.pdfviewer0a17c18c49c97cdf558a986037b0e4b0c8592442100,000
com.guruinfomedia.gps.speedometer7964ec42624b91280a044024906ce71ec46cc6ea1,000,000
com.guruinfomedia.gps.speedometerproeca09c6331129c86e95a64a2f89dce8ad23cfea050,000
com.guruinfomedia.notepad.texteditor88d1c4d118decd4360e6a8abc186965ccc05fe231,000,000
com.guruinfomedia.notepad.texteditor.proc5caf490f8627f510553b9336d62fd28382d22d5100,000
com.impactobtl.friendstrackerfree0c7dbdb521efd7354d515e2b24c8f2c61432c4bc1,000,000
com.impactobtl.whodeletedme8b901532f3247bdafe84e2d315d900bfe3a91bd6500,000
com.mapsnavigation.gpsroutefinder.locationtrackersfbe2ac65d1a9c2894821faaff000ea7ac1147cee1,000,000
com.qibla.compass.prayertimes034ba8339be985c137108f4064bff4e156817c51100,000
com.qiblafinder.prayertime.hijricalendaref8a44cabd1ed8ef37c303c8fc16effb6c28fa5c1,000,000
com.quranmp3.readquran9b4a330a6ebe026db5fd13483c1a0a9de4571c891,000,000
com.quranmp3ramadan.readqurana870ba7293fc5475b499466a90d9a38a539a645c500,000
com.ramdantimes.prayertimes.allahb13b296d20f360f8413b49459dc7397799e387631,000,000
com.ramdantimes.qibla.prayertimese74dec8b5ff7d0fa77f21f21fdb49f0e0f3722c7500,000
com.sdeteam.gsa4e8112e4e3039e4a8d2479e3acae858deae0c3a11,000,000
com.shikh.gurbaniradio.livekirtan1c69c6cc2714496fb50818b1c46be0ca72086fad100,000
com.studyapps.mathen9498a03c48b4802d1e529e42d5dc72a7e2da1593500,000
com.studyapps.obshestvo4f2dfe1410b7de8f9301d5c54becfa87d7cdd276100,000
com.tosi.bombujmanual8161f174eb43ee98838410e08757dd6dc348b53f500,000
com.videocutter.mp3converterf9a7b22c2a8c07cf1e878dc625ea60e6344863331,000,000
com.vpn.powervpna7dded17f59ad889d949232ee8b5c43d667ca3511,000,000
liveearthcam.livewebcams.livestreetview581f505f4a83ad2ff1823dd3477c000788a77829500,000
qrcode.scanner.qrmakera53bcd4a4313dee7d6fd226867a005b8549c02275,000,000
remove.unwanted.object22f2690b89e8c1ea0172ced211d3d57f07118bcb10,000,000
com.ixigo.train.ixitrain700819680439ce23945f25a20f1be97a1ff7d07450,000,000

All the above mentioned apps are reported to Google and quickly removed from Google Play. several apps are updated and removed the malicious modules. Dr, web said.

Sponsored:  – Manage all the Endpoint networks from a single Console.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Also Read:

2 Android Apps From Google Play Store Launching Banking Malware With Sophisticated Evasion Techniques

85 Malicious Android Apps Discovered in Google Play Store that Affected 9 Million Users

35 Malicious Anti-Virus Apps Discovered in Google Play store that Affected 6 Million Users

Hackers Uploaded Fake Apps into Google Play Store to Steal Credit card details and Login Credentials

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

WinZip Vulnerability Allows Remote Attackers to Execute Arbitrary Code

A newly discovered vulnerability in WinZip, a popular file compression and archiving utility, has...

New Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A newly discovered vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is reportedly...

Burp Suite Professional / Community 2025.2 Released With New Built-in AI Integration

PortSwigger has announced the release of Burp Suite Professional and Community Edition 2025.2, introducing...

Arbitrary File Upload Vulnerability in WordPress Plugin Let Attackers Hack 30,000 Website

A subgroup of the Russian state-sponsored hacking group Seashell Blizzard, also known as Sandworm,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

RedNote App Security Flaw Exposes User Files on iOS and Android Devices

Serious security vulnerabilities have been uncovered in the popular social media and content-sharing app,...

BADBOX Botnet Surges: Over 190,000 Android Devices Infected, Including LED TVs

The BADBOX botnet, a sophisticated malware operation targeting Android-based devices, has now infected over...

Malicious Android & iOS Apps Downloaded Over 242,000 Times, Stealing Crypto Recovery Keys

A sophisticated malware campaign, dubbed SparkCat, has infiltrated Google Play and Apple’s App Store,...