Thursday, May 22, 2025
HomeGoogle8 Malicious Applications in Google Play Store Infects 50,000 Android Users to...

8 Malicious Applications in Google Play Store Infects 50,000 Android Users to Steal Data and Generate Illegitimate Revenue

Published on

SIEM as a Service

Follow Us on Google News

A new clicker malware found in Google play dubbed Haken aims to gain control over the affected devices and to generate illegitimate profit.

Checkpoint researchers observed the new malware family while looking for another clicker malware BearClod.

The Haken malware is capable of exfiltrating sensitive user data from the infected device and also subscribes to premium services.

- Advertisement - Google News

Eight such apps caught distributing the malware in the Google play store, altogether downloaded for more than 50,000 times.

Haken Clicker Malware

To perform clicking malware utilizes the native code and injection to Facebook and AdMob libraries while communicating to the server.

The first entry point for the backdoored app is Haken clicker receiver called ‘BaseReceiver’ which seeks permission from the user to make the application run once the device is started.

According to Checkpoint report “the BaseReceiver loads a library kagu-lib which calls a method called ‘startTicks’ which after inspection calls the method ‘clm’ from ‘com/google/android/gms/internal/JHandler.”

This particular class registered two workers and a timer, one worker communicates with the C&C server to download the configuration and process it.

The second worker triggered by the timer, responsible for “injects code into the Ad-related Activity classes of well-known Ad-SDK’s like Google’s AdMob and Facebook”.

By injecting the clicking functionality the attackers able to mimic the user clicks to generate illegitimate revenue.

The affected apps have been reported to Google by Checkpoint and the affected applications removed from Google play.

Following are the apps

Package NameInstallsSha256
com.faber.kids.coloring10,000+381620b5fc7c3a2d73e0135c6b4ebd91e117882f804a4794f3a583b3b0c19bc5
com.haken.compass10,000+30bf493c79824a255f9b56db74a04e711a59257802f215187faffae9c6c2f8dc
com.haken.qrcode5,000+62d192ff53a851855ac349ee9e6b71c1dee8fb6ed00502ff3bf00b3d367f9f38
 com.vimotech.fruits.coloring.book5,000+f4da643b2b9a310fdc1cc7a3cbaee83e106a0d654119fddc608a4b587c5552a3
com.vimotech.soccer.coloring.book5,000+a4295a2120fc6b75b6a86a55e8c6b380f0dfede3b9824fe5323e139d3bee6f5c
mobi.game.fruit.jump.tower100+e811f04491b9a7859602f8fad9165d1df7127696cc03418ffb5c8ca0914c64da
mobi.game.ball.number.shooter50+d3f13dd1d35c604f26fecf7cb8b871a28aa8dab343c2488d748a35b0fa28349a
com.vimotech.inongdan50+a47049094051135631aea2c9954a6bc7e605ff455cd7ef1e0999042b068a841f

Google announced that nearly 600 apps removed from the Google Play Store and banned from ad monetization platforms.

These apps are removed for showing disruptive ads that displayed to users in unexpected ways and for out-of-context ads in which developers serve ads even if the user not active with the application.

Follow us on TwitterLinkedinFacebook for Daily cyber security & hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Versa Concerto 0-Day Flaw Enables Remote Code Execution by Bypassing Authentication

Security researchers have uncovered multiple critical vulnerabilities in Versa Concerto, a widely deployed network...

Hackers Targets Coinbase Users Targeted in Advanced Social Engineering Hack

Coinbase users have become the prime targets of an intricate social engineering campaign since...

Hackers Exploit PyBitmessage Library to Evade Antivirus and Network Security Detection

The AhnLab Security Intelligence Center (ASEC) has uncovered a new strain of backdoor malware...

Several GitLab Vulnerabilities Enable Attackers to Launch DoS Attacks

GitLab has issued critical security patches addressing 11 vulnerabilities across its Community Edition (CE)...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit PyBitmessage Library to Evade Antivirus and Network Security Detection

The AhnLab Security Intelligence Center (ASEC) has uncovered a new strain of backdoor malware...

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs...

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some...