Clickers, (malware that mimics the user and performs ‘clicks’ on ads), are a rising threat in the mobile industry. 47 new applications that were available on Google Play, and were downloaded more than 78 million times by users were found infected with malware. A similar campaign began its path in Google Play. Haken malware was found in 8 malicious applications, that had over 50,000 downloads, the clicker aims to get a hold of as many devices as possible to generate illegitimate profit.
The Haken clicker utilizes native code and injection to Facebook and AdMob libraries while communicating with a remote server to get the configuration.
The first entry point of the Haken clicker is the receiver called ‘BaseReceiver’. This receiver asks for permissions that the backdoored app (in this case, a compass application that actually provides a compass service) does not require to function, for instance,BOOT_COMPLETED which let the backdoored application to run code at device start-up. With the usage of native-code, code injection into Ad-SDKs, and backdoored applications from the official store, Haken has shown clicking capabilities while staying under the radar of Google Play. Even with a relatively low download count of 50,000+, this campaign has shown the ability that malicious actors have to generate revenue from fraudulent advertising campaigns.
The ‘Joker’ malware family, originally discovered in September 2019, is a spyware and premium dialer (subscribes the user to premium services) for Android that was found on Google Play.
In the past few months, Joker keeps reappearing in the Google Play store, We have recently discovered four additional samples of Joker on Google Play, downloaded 130,000+ times. Most of these malicious apps are camera utilities and children’s games. Some of them buy premium subscriptions without notifying the user.