So-called “clicker” malware designed to facilitate ad fraud has been found on 16 mobile apps in the Google Play store, according to McAfee.
After being notified by the security vendor, Google has removed the offending apps, which are estimated to have garnered as many as 20 million downloads.
Detected as Android/Clicker, the malware was inserted into legitimate-looking utility apps such as flashlights, QR readers, cameras, unit converters and task managers.
“Once the application is opened, it downloads its remote configuration by executing an HTTP request,” explained McAfee.
“After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. At first glance, it seems like well-made android software. However, it is hiding ad fraud features behind, armed with remote configuration and FCM techniques.”
Specifically, the malware forces infected devices to visit and browse certain websites in the background, without the user's knowledge.
This generates ad fraud profit for the threat actor in the form of fake clicks, although it can also degrade device performance for the user, run down the smartphone’s battery and run up additional mobile data fees.
There are two key pieces of malicious code at play: the ‘com.click.cas’ library focuses on automated clicking, while the ‘com.liveposting’ library works as an agent to run hidden adware services.
Android/Clicker stays under the radar to avoid attracting the attention of a device user by leaping into action only when an infected smartphone is not in use. It will also not work within an hour of initial installation, McAfee said.
“We recommend having a security software installed and activated so you will be notified of any mobile threats present on your device in a timely manner,” the security vendor concluded.
“Once you remove this and other malicious applications, you can expect an extended battery time and you will notice reduced mobile data usage while ensuring that your sensitive and personal data is protected from this and other types of threats.”