22 apps with 2 million+ Google Play downloads had a malicious backdoor

Google logoAlmost two dozen apps with more than 2 million downloads have been removed from the Google Play market after researchers found they contained a device-draining backdoor that allowed them to surreptitiously download files from an attacker-controlled server.

The 22 rogue titles included Sparkle Flashlight, a flashlight app that had been downloaded more than 1 million times since it entered Google Play sometime in 2016 or 2017, antivirus provider Sophos said in a blog post published Thursday. Beginning around March of this year, Sparkle Flashlight and two other apps were updated to add the secret downloader. The remaining 19 apps became available after June and contained the downloader from the start.

By the time Google removed the apps in late November, they were being used to click endlessly on fraudulent ads. "Andr/Clickr-ad," as Sophos has dubbed the family of apps, automatically started and ran even after a user force-closed them, functions that caused the apps to consume huge amounts of bandwidth and drain batteries. In Thursday's post, Sophos researcher Chen Yu wrote:

Andr/Clickr-ad is a well-organized, persistent malware that has the potential to cause serious harm to end users, as well as the entire Android ecosystem. These apps generate fraudulent requests that cost ad networks significant revenue as a result of the fake clicks.

 

From the user's perspective, these apps drain their phone's battery and may cause data overages as the apps are constantly running and communicating with servers in the background. Furthermore, the devices are fully controlled by the C2 server and can potentially install any malicious modules upon the instructions of the server.

The apps worked by reporting to an attacker-controlled domain, mobbt.com, where the infected phones would download ad-fraud modules and receive specific commands every 80 seconds. The modules caused the phones to click on huge numbers of links that hosted fraudulent apps. To prevent users from suspecting their phones were infected, the apps displayed the ads in a window that was zero pixels high and zero wide.

To give defrauded advertisers the false impression the clicks were coming from a much larger pool of authentic users, Andr/Clickr-ad manipulated user-agent strings to pose as a wide variety of apps running on a wide variety of phones, including iPhones. The following image shows a malicious app running on an Android virtual device identifying itself as running on an iPhone.

Many of the malicious Google Play apps were made by developers who had titles in the iOS App Store.

Source: Ars Technica

Tags: Google, security

Comments
Add comment

Your name:
Sign in with:
or
Your comment:


Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party


Last news

 
But anti-cheat software is apparently still an issue
 
Google Inbox was due to close down -- it was just a matter of when
 
The fine is for Google's activities in relation to AdSense between 2006 and 2016
 
The Stadia servers are capable of providing 4K, 60 frames-per-second performance
 
All EU Android users will get the option to turn down Google Search and Chrome
 
 
iPhone, iPad, and Apple Watch developers will be required to use the latest iOS and watchOS SDKs
 
The maximum number of people that you can have on a Skype video call right now is 25
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
 
 

News Archive

 
 
SuMoTuWeThFrSa
     12
3456789
10111213141516
17181920212223
24252627282930
31




Poll

Do you use microSD card with your phone?
or leave your own version in comments (15)