The developer(s) of an Android adware family named GhostClicker has managed to sneak his malware on the official Google Play Store on several occasions, hiding it in as much as 340 mundane Android apps.
There have been so many cases of Android adware making it on the Google Play Store that it's getting harder to keep track of all the adware families. Previous cases include Chamois, FalseGuide, HummingBad, Viking Horde, DressCode, CallJam, and Skinner, just to name the biggest.
All show a trend and weakness in Google's Play Store security checks that malware devs are exploiting to push adware to unsuspecting users.
The secret of sneaking malware past Google is to split malicious behavior across several components, delay its execution, and use anti-sandboxing checks to prevent execution in obvious testing environments.
GhostClicker uses two of these techniques. The first is splitting its malicious code across the Google Mobile Services (GMS) API and Facebook Ad's software development kit (SDK). The second is the usage of an anti-sandboxing check that prevents the malware from running if the smartphone's user-agent string contains the term "nexus," commonly used in many Android sandboxing applications.
These two tricks have proven useful to the GhostClicker adware developer, who used them for almost a year. Security firm Trend Micro, who discovered the adware, says the adware creator has been busy uploading GhostClicker-infected apps on the Play Store since August 2016.
The adware evolved during the past year, and while initially, it required admin rights to operate, current versions of GhostClicker do not. The change in the adware's modus operandi is most likely to avoid raising a target's suspicions and remain on infected devices longer, even if the adware possesses fewer features.
As the name suggests, GhostClicker taps on ads for the adware operator's profit. It doesn't tap on any ads, but only those served via Google's AdMob platform. Other Android adware like Skyfin and Mapin also used the AdMob platform to boost their profits.
As a secondary method of earning money, GhostClicker also participates in traffic redirection affiliate schemes by showing popups and ads over other apps, trying to redirect users to various pages, such as YouTube links, the Play Store pages of other apps, and more.
Overall, GhostClicker was obviously developed for monetary profit alone, with no support for stealing a user's personal data.
Trend Micro says it found GhostClicker in mundane apps such as app cleaners, memory boosters, file managers, QR and barcode scanners, multimedia recorders, multimedia players, battery chargers, and GPS navigation apps.
Most victims infected with GhostClicker were from Southeast Asian countries. One of the apps infected with GhostClicker was downloaded by more than five million users.
Experts reported all the 340 infected apps to Google, but 101 of these were still available in the Play Store on August 7.