22 apps with 2 million+ Google Play downloads had a malicious backdoor


Gadget-draining downloader historical for advert fraud can have incorporated other malicious files.

Dan Goodin

22 apps with 2 million+ Google Play downloads had a malicious backdoor

Practically two dozen apps with extra than 2 million downloads were eradicated from the Google Play market after researchers found out they contained a instrument-draining backdoor that allowed them to surreptitiously gain files from an attacker-managed server.

The 22 rogue titles incorporated Sparkle Flashlight, a flashlight app that had been downloaded extra than 1 million events because it entered Google Play at some point soon in 2016 or 2017, antivirus provider Sophos mentioned in a weblog put up published Thursday. Foundation around March of this year, Sparkle Flashlight and two other apps were updated to add the secret downloader. The closing 19 apps grew to vary into on hand after June and contained the downloader from the open.

“Serious hurt”

By the time Google eradicated the apps in tiring November, they were being historical to click on forever on counterfeit commercials. “Andr/Clickr-advert,” as Sophos has dubbed the family of apps, automatically started and ran even after a user power-closed them, capabilities that precipitated the apps to use splendid amounts of bandwidth and drain batteries. In Thursday’s put up, Sophos researcher Chen Yu wrote:

Andr/Clickr-advert is a sparkling, continual malware that has the functionality to cause excessive hurt to cease users, as well to your complete Android ecosystem. These apps generate counterfeit requests that payment advert networks foremost earnings on legend of the flawed clicks.

From the user’s standpoint, these apps drain their mobile phone’s battery and might presumably presumably per chance cause recordsdata overages because the apps are always running and speaking with servers within the background. Moreover, the devices are fully managed by the C2 server and might presumably presumably per chance potentially install any malicious modules upon the directions of the server.

The apps labored by reporting to an attacker-managed enviornment, mobbt.com, where the contaminated phones would gain advert-fraud modules and receive explicit instructions every eighty seconds. The modules precipitated the phones to click on on splendid numbers of hyperlinks that hosted counterfeit apps. To terminate users from suspecting their phones were contaminated, the apps displayed the commercials in a window that became as soon as zero pixels excessive and zero broad.

To present defrauded advertisers the counterfeit impression the clicks were coming from a grand bigger pool of legitimate users, Andr/Clickr-advert manipulated user-agent strings to pose as a large number of apps running on a large number of phones, alongside side iPhones. The following image shows a malicious app running on an Android virtual instrument figuring out itself as running on an iPhone.

22 apps with 2 million+ Google Play downloads had a malicious backdoor

Plenty of the malicious Google Play apps were made by developers who had titles within the iOS App Retailer.

The captured web site visitors displayed below, also taken from an Android virtual instrument, shows Andr/Clickr-advert abusing Twitter’s advert network by posing as an advert running on a Samsung Galaxy S7:

22 apps with 2 million+ Google Play downloads had a malicious backdoor

Maximizing profits, spreading out the fraud

In all, Sophos observed server recordsdata inflicting the counterfeit clicks to seem as within the event that they were coming from Apple fashions ranging from the iPhone 5 to 8 Plus and from 249 diversified forged fashions from 33 sure brands of Android phones (purportedly) running Android OS variations ranging from four.four.2 to 7.x. The counterfeit user-agent recordsdata likely served various applications. First, the iPhone labels might presumably presumably per chance even have allowed the scammers to safe bigger costs, since some advertisers pays premiums when their commercials are considered by iPhone users. 2nd (and extra importantly), the counterfeit labeling seemed the commercials were being clicked on by a grand bigger number of devices.

To be particular maximum earnings, Andr/Clickr-advert apps were programmed to trail automatically whenever an contaminated mobile phone became as soon as rebooted, by the utilize of a BOOT_COMPLETED broadcast. In the event a user power-closed an app, developers created a sync adapter to restart the app three minutes later. The apps checked for fresh advert instructions as assuredly as every eighty seconds and checked for fresh module downloads as assuredly as every 10 minutes.

Thursday’s put up is the newest proof that Google cannot proactively police its have market for apps that pose a excessive security threat, even supposing in fairness the firm might per chance be very snappy to occupy shut titles as soon as they’re reported. Whereas Google eradicated the malicious apps on November 25, or no longer it is rarely sure that each person phones that downloaded them were disinfected. Google representatives did not respond to an e mail asking about this. Android has the potential to automatically occupy shut apps that are later found out to be abusive, on the opposite hand it’s price manually checking.

The 22 apps listed by Sophos are:

Kit Title Title Sha1
com.sparkle.flashlight Sparkle FlashLight 9ed2b260704fbae83c02f9f19a2c4e85b93082e7
com.mobilebt.snakefight Snake Attack 0dcbbae5d18c33039db726afd18df59a77761c03
com.mobilebt.mathsolver Math Solver be300a317264da8f3464314e8fdf08520e49a55b
com.mobilebt.shapesorter ShapeSorter e28658e744b2987d31f26b2dd2554d7a639ca26d
com.takatrip.android Tak A Day out 0bcd55faae22deb60dd8bd78257f724bd1f2fc89
com.magnifeye.android Magnifeye 7d80bd323e2a15233a1ac967bd2ce89ef55d3855
com.pesrepi.joinup Be a part of Up c99d4eaeebac26e46634fcdfa0cb371a0ae46a1a
com.pesrepi.zombiekiller Zombie Killer 19532b1172627c2f6f5398cf4061cca09c760dd9
com.pesrepi.spacerocket Dwelling Rocket 917ab70fffe133063ebef0894b3f0aa7f1a9b1b0
com.pesrepi.neonpong Neon Pong d25fb7392fab90013e80cca7148c9b4540c0ca1d
app.mobile.justflashlight Glorious Flashlight 6fbc546b47c79ace9f042ef9838c88ce7f9871f6
com.mobile.tablesoccer Table Soccer fea59796bbb17141947be9edc93b8d98ae789f81
com.mobile.cliffdiver Cliff Diver 4b23f37d138f57dc3a4c746060e57c305ef81ff6
com.mobile.boxstack Box Stack c64ecc468ff0a2677bf40bf25028601bef8395fc
acquire.kanmobi.jellyslice Jelly Gash 692b31f1cd7562d31ebd23bf78aa0465c882711d
com.maragona.akblackjack AK Blackjack 91663fcaa745b925e360dad766e50d1cc0f4f52c
com.maragona.colortiles Coloration Tiles 21423ec6921ae643347df5f32a239b25da7dab1b
com.beacon.animalmatch Animal Match 403c0fea7d6fcd0e28704fccf5f19220a676bf6c
com.beacon.roulettemania Roulette Mania 8ad739a454a9f5cf02cc4fb311c2479036c36d0a
com.atry.hexafall HexaFall 751b515f8f01d4097cb3c24f686a6562a250898a
com.atry.hexablocks HexaBlocks ef94a62405372edd48993030c7f256f27ab1fa49
com.atry.pairzap PairZap 6bf67058946b74dade75f22f0032b7699ee75b9e

Android users might presumably presumably per chance also easy be highly selective about the apps they install. Fastidiously reading opinions can in most cases lend a hand, however the rave opinions many of the Andr/Clickr-advert apps obtained underscores the bounds to this measure. Come what might, the advice that makes the most sense is to install as few apps as possible, in particular if, as is the case with flashlight apps, the same feature is equipped internal the Android OS itself.


Leave a Reply