Malware being spread via the official Google Apps store is nothing new. Malware developers are always trying to find new ways to skirt Google’s defenses to deliver their payload to unsuspecting users. While the majority of these apps don’t spread too far before they’re caught, one strain of malware managed to catch a ride on over 2 million downloaded apps before it was taken off the market. This has caused some concern over how Google vets their apps before distributing them to users.
How the Malware Worked
The malware in question is called “Andr/Clickr-ad,” and you can get a general idea of what it did by its name alone. Twenty-two apps were laced with this malware, which were then released to the general public. The apps themselves were highly functional and did their jobs well, meaning people would flock to the app page to give it high ratings and positive reviews, thus spreading the malware further.
When the malware got onto a system, it began calling up adverts onto the phone and automatically clicking them to gain ad revenue for the developers. This is a typical step for ad-clicker malware, but what made Clickr-Ad so nefarious was how it covered its tracks. It masked two agents of ad-clicker malware that usually catch it before it can do its job properly: the user of the phone and the advertising companies being used to deliver the adverts.
If ad-clicker malware actually shows an advertisement to the user, it’s shooting itself in the foot. A user will become aware that ads are popping up on their phone and will act to remove it. The key is to cut the user out of the equation altogether by not allowing the user to notice the ad, as well as clicking the ad by itself.
The way Clickr-Ad solved this problem was that it displayed the ad in a background web browser frame that was 0x0 pixels in size. That way users were kept in the dark that an ad was playing. The infected app didn’t even have to be open for the malware to work – it could pop up a new ad every few seconds over the course of the day and the user would be none the wiser. The only symptom users would notice was an increase in battery drain from loading adverts.
The Advertising Companies
The adverts that these ad clickers use don’t just come out of nowhere! They have to be queried from an advertising company who then pays for the clicks. If a company sees one app constantly churning out ads on a specific phone, it may raise eyebrows and cause them to rectify the problem.
To avoid this, the malware makes customized queries to the advertising companies. It can claim it’s running an ad on either Android or iOS, as well as randomly pick a device and app name. This way the company sees different queries from different phones rather than multiple queries from one app.
The Infected Apps
With Clickr-Ad’s sneaky tactics, users would be hard-pressed to notice their device was earning the developer’s money. The malware operated regardless of whether the app was open or not, so even if users noticed the increased battery drain, they wouldn’t know what exactly was doing the damage. As a result, the apps went for months before being identified as malware carries.
As we covered above, twenty-two apps in total were laced with this malware, one of which hit 1 million downloads by itself. If you’ve downloaded any of the apps listed at the bottom of the Sophos News article about the malware, be sure to remove it ASAP.
With mobile malware being big business, malware developers are always finding ways to sneak it onto people’s devices. This particular attack was very wide-spread, so be sure to remove the app if you find it on any of your devices.
How concerned are you over infected malware being so easily downloaded from official app stores? Let us know below.
Images Credit: Sophos