Two Dozen Click Fraud Apps Found in Google Play

Attackers managed to pass Google’s defenses and place 22 Android apps on Google Play that engaged in sophisticated advertising click fraud when installed on users’ phones.

The majority of the apps were created after June 2018 and were collectively downloaded more than 2 million times until their removal around Nov. 25.

AWS Builder Community Hub

“The three oldest apps didn’t start out evil, but they seem to have been Trojanized with the clickfraud code added into the apps at around the same time, in June,” researchers from antivirus vendor Sophos, who found the apps, said in a report.

Click fraud in the Android ecosystem is nothing new, but the techniques used by these particular apps were more sophisticated and more difficult to detect than usual. The apps posed as playable games and functioning utilities, such as a flashlight or a magnifying app.

The apps received instructions from a command-and-control server to pull ads from ad networks by posing as other unrelated apps running on different types of devices, including Apple ones. The received ads were not displayed to users but were rendered inside a hidden browser window where the app automatically interacted with them. This happened even when the apps were not opened.

“The only effects a user might notice is that the apps would use a significantly greater amount of data, at all times, and consume the phone’s battery power at a more rapid rate that the phone would otherwise require,” the Sophos researchers said. “Because consumers would not be able to correlate these effects to the apps themselves, their Play Market reviews for these apps showed few negative comments.”

The mimicking of other applications and devices was designed to make it difficult for the advertisers to discover the origin of the fraud, even if they detected it. And aside from the click fraud capability, the rogue apps could also receive and execute malicious code from the command-and-control servers, so they could serve as malware downloaders.

“Andr/Clickr-ad is a well-organized, persistent malware that has the potential to cause serious harm to end users, as well as the entire Android ecosystem,” the Sophos researchers said. “These apps generate fraudulent requests that cost ad networks significant revenue as a result of the fake clicks. From the user’s perspective, these apps drain their phone’s battery and may cause data overages as the apps are constantly running and communicating with servers in the background.”

Linux Rabbit Malware Infects Linux Servers and IoT Devices

Security researchers have identified a new malware family that infects Linux-based devices and servers with cryptomining code.

According to researchers from Anomali, the first campaign started in August and infected Linux servers only in Russia, South Korea, the U.K. and the United States. The initial infection vector for that campaign is not known, but the malware has the capability to launch SSH brute-force password guessing attacks against other systems.

The malware communicated with command-and-control servers over the Tor network and deployed a cryptocurrency mining program on compromised systems. It could also receive instructions from GitHub.

In September and October, the researchers observed a second campaign with a new strain dubbed Rabbot that shared the same code base as Rabbit, but could also infect IoT devices with other CPU architectures. The malware exploited at least five vulnerabilities to spread and its distribution was no longer limited to certain countries.

Depending on the device’s CPU architecture, Rabbot can install one of two Monero cryptomining programs. If the compromised device is a web server, it will also inject the CoinHive cryptomining script into HTML files hosted on it, so visitors to those websites will also be affected.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin