Researchers discovered 22 malicious Android apps that uploaded in Google playstore with Sophisticated click fraud functionality affected around 2 million Android users.
Some of the malicious apps are unnoticed for a month and year, some of the apps were uploaded in June 2018 and one of the malicious flashlight apps alone downloaded around 1 million users.
Attacker created these ad-clicker malware apps with more persistent functionality and flexible than other earlier versions.
Many of the apps contain downloader functionality and it using command and control server in order to retrieve the files.
Attackers send the direct instructions via C&C server to the malware apps that act like a normal ad that showing by legitimate apps.
Also they are using specific click fraud tools to report to the network using specific models of both Android and iOS phones and also full-screen ads are annoying users to create more attention and force then to click on it.
The affected user can experience malicious activities when the app using a high amount of data and consume the phone’s battery power.
These all the malicious apps generate fraudulent requests that cost ad networks significant revenue using the fake clicks.
Click Fraud apps Working Methods
Intially once it’s launched, it just starts communicating with its C&C server by sending an HTTP GET request and servers return the “sdk” commands along with URL to download an “sdk” module.
In this case, c2 module keeps checking the time interval in “exp” filed and it keeps connecting with every 10 min to get its sdk again.
Another module called “mpb” perform the ad-clicking and instruction from the C2 server and also server replies on another JSON structure that contains the parameters it will use to download the advertisement.
According to SOPHOS research, In our tests, we have observed both Android and iOS apps and User-Agent strings in the “pkg” field. So far, all these apps seem to be coming from a small number of developers.
It may be that all these developers are currently boosting each other’s ad income. But this architecture can potentially be used as a service to generate ad revenue for other apps as well.
Also researchers found the same developers who placed their malicious apps through iTunes Store.
In order the decrease the chance of detecting any suspicion from the Ad network, attackers forcing User-Agent and device fields generated network traffic looks like genuine traffic that originates from real devices.
The click fraud remains persistent, even when the user forces the app to quit and Out of 22 apps, 19 apps were created after June 2018. Most of them have contained this “sdk” downloading function since the first version. Researchers said.
IOC – Malicious Apps List
Tak A Trip