It keeps happening over and over again. Just last month, we reported that 13 malicious gaming apps were pulled down from the Google Play Store after receiving close to 500,000 installs on the Android store.
This time around, another batch of Android apps with malicious behavior have been pulled from the Google Play Store, but not before receiving over 2 million downloads from unsuspecting Android users.
According to network security researchers from Sophos, the apps taken down from the Play Store are 22 in number, and they include Sparkle Flashlight, a flashlight app that has been download more than a million times since its arrival on the Play Store in 2016 or 2017.
The researchers explained that the apps contained a device-draining backdoor that allowed them to surreptitiously download files from an attacker controlled server.
Now when these apps download those ad-fraud modules from the attacker controlled server, they receive a specific command every 80 seconds, which the ad-fraud modules will then cause the Android device which the malware is running on to click on huge numbers of links that hosts fraudulent apps. To evade users from suspecting that their phones is housing a malware, the apps will display the ads in a window that is zero pixels high and zero wide.
The authors behind this made the apps to perform clickfraud, which did not only steal from the advertisers, but also made these Android apps to pose as "Apple devices to advertisers, possibly in order to earn a premium return on their criminal activity."
The malware used here is known as Andr/Clickr-ad, a persistent malware that automatically starts and run even after the user force-closes them. The tasks carried out by this malware consumes heavy amount of bandwidth and drains a lot of battery power.
"Andr/Clickr-ad is a well-organized, persistent malware that has the potential to cause serious harm to end users, as well as the entire Android ecosystem," Sophos researcher Chen Yu wrote. "These apps generate fraudulent requests that cost ad networks significant revenue as a result of the fake clicks."
Chen Yu continued. "From the user's perspective, these apps drain their phone's battery and may casue data overages as the apps are constantly running and communicating with servers in the background. Furthermore, the devices are fully controlled by the C2 server and can potentially install any malicious modules upon the instructions of the server."
Sophos said that some of the malware infested apps didn't start out evil, but were later Trojanized with the clickfraud code.
So far, all the apps have been booted out of the Google Play Store, but as it is common with Google, it took the Internet giant sometime to kick out the malicious apps even after they were reported.