• Home
  • News
  • Security
  • Auto-Clicking Android Adware Found in 340 Apps on the Google Play Store

Auto-Clicking Android Adware Found in 340 Apps on the Google Play Store

  • August 17, 2017
  • 07:39 AM
  • 3

GhostClicker

The developer(s) of an Android adware family named GhostClicker has managed to sneak his malware on the official Google Play Store on several occasions, hiding it in as much as 340 mundane Android apps.

There have been so many cases of Android adware making it on the Google Play Store that it's getting harder to keep track of all the adware families. Previous cases include Chamois, FalseGuide, HummingBad, Viking Horde, DressCode, CallJam, and Skinner, just to name the biggest.

All show a trend and weakness in Google's Play Store security checks that malware devs are exploiting to push adware to unsuspecting users.

The secret of sneaking malware past Google is to split malicious behavior across several components, delay its execution, and use anti-sandboxing checks to prevent execution in obvious testing environments.

GhostClicker active since August 2016

GhostClicker uses two of these techniques. The first is splitting its malicious code across the Google Mobile Services (GMS) API and Facebook Ad's software development kit (SDK). The second is the usage of an anti-sandboxing check that prevents the malware from running if the smartphone's user-agent string contains the term "nexus," commonly used in many Android sandboxing applications.

These two tricks have proven useful to the GhostClicker adware developer, who used them for almost a year. Security firm Trend Micro, who discovered the adware, says the adware creator has been busy uploading GhostClicker-infected apps on the Play Store since August 2016.

The adware evolved during the past year, and while initially, it required admin rights to operate, current versions of GhostClicker do not. The change in the adware's modus operandi is most likely to avoid raising a target's suspicions and remain on infected devices longer, even if the adware possesses fewer features.

GhostClicker taps on ads, shows popups

As the name suggests, GhostClicker taps on ads for the adware operator's profit. It doesn't tap on any ads, but only those served via Google's AdMob platform. Other Android adware like Skyfin and Mapin also used the AdMob platform to boost their profits.

As a secondary method of earning money, GhostClicker also participates in traffic redirection affiliate schemes by showing popups and ads over other apps, trying to redirect users to various pages, such as YouTube links, the Play Store pages of other apps, and more.

Overall, GhostClicker was obviously developed for monetary profit alone, with no support for stealing a user's personal data.

101 of 340 infected apps still available on the Play Store

Trend Micro says it found GhostClicker in mundane apps such as app cleaners, memory boosters, file managers, QR and barcode scanners, multimedia recorders, multimedia players, battery chargers, and GPS navigation apps.

Most victims infected with GhostClicker were from Southeast Asian countries. One of the apps infected with GhostClicker was downloaded by more than five million users.

Experts reported all the 340 infected apps to Google, but 101 of these were still available in the Play Store on August 7.

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.

Comments

  • Occasional Photo
    Occasional - 3 months ago

    "The secret of sneaking malware past Google is to split malicious behavior across several components, delay its execution, and use anti-sandboxing checks to prevent execution in obvious testing environments."
    Are iTunes and MS Store immune or just less vulnerable?

  • jack_alexander2 Photo
    jack_alexander2 - 3 months ago

    I constantly read about these infected apps and wonder why no one is publishing a list of the guilty items.

  • campuscodi Photo
    campuscodi - 3 months ago

    Fear of lawsuits. If they didn't publish IOCs, it's probably because the apps were developed by a legal entity. In most cases.

    In other cases, cyber-sec firms don't want to share research with competitors.

Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Login

Remember Me
Sign in anonymously

Reporter

Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.

SUBMIT