Malicious clicker apps in Google Play have over 20 million installations Security Affairs

Researchers discovered 16 malicious clicker apps in the official Google Play Store that were downloaded by 20 million+ users.

Security researchers at McAfee have discovered 16 malicious clicker apps available on the official Google Play Store that were installed more than 20 million times. One of these apps, called DxClean, has more than five million downloads and a user rating of 4.1 out of 5 stars.

Clicker apps are adware software that load ads in invisible frames or in the background and click them to generate revenue for the threat actors behind the campaign.

“Recently, the McAfee Mobile Research Team has identified new Clicker malware that infiltrated Google Play. A total of 16 applications previously on Google Play have been confirmed to have the malicious payload with an estimated 20 million installs.” reads the report published by McAfee.

Threat actors have hidden the malicious code in useful tools such as Torch, QR readers, Camara, device converters and task managers.

When running the clicker apps, they will download the configuration from a remote server and register the FCM listener to receive push notifications.

“Once the application is opened, it downloads the external configuration by making an HTTP request. After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. At first glance, it seems like well-made android software. However, it hides ad fraud features behind, armed with remote configuration and FCM techniques.” the report continues.

The FCM message contains several pieces of information, such as the functions to call and the parameters to send them.

When the app receives an FCM message that meets a condition, the corresponding function starts in the background. Typically, the features instruct the device to visit websites in the background while mimicking the user’s behavior. This can cause heavy network traffic and consume power while generating profit for the attackers by clicking on ads without users’ knowledge.

The experts identified two pieces of code in these clicker apps, one is the “com.click.cas” library that is used to automate the click functionality, the other is the “com.liveposting” library that acts as an agent and runs hidden adware services.

All 16 Clicker apps reported by McAfee experts have been removed from Google Play, the security firm also shared

“Clicker malware targets illegal ad revenue and could disrupt the mobile advertising ecosystem.” concludes the report Malicious behavior is cleverly hidden from detection.” concludes the report.

“We recommend having a security software installed and activated so that you will be notified of any mobile threats on your device in time. When you remove this and other malicious applications, you can expect extended battery life and you will notice reduced mobile data usage while ensures that your sensitive and personal data is protected against this and other types of threats.”

Follow me on Twitter: @securityaffairs and Facebook