Trojan Porn Clicker returns to Google Play

Recently, Avast researchers discovered the Trojan porn clicker uploaded to Google Play Store and posing as “Dubsmash 2”. This clicker pretended to be an official application, and was downloaded more than 100,000 times. While the click fraud activity did not cause direct harm to the victims such as stealing credentials, it does generate a lot of internet traffic and may cause high data charges for victims that have a restricted data plan, leaving them with high cellphone bills at the end of the month.

Less than a month later, ESET researchers discovered that a plethora of variants of this same fake Dubsmash application found their way on to the official Google Play, showing the very same icons and preview pictures.

While this threat is entirely different from the one we documented last week, both cases are similar in the sense that they managed to get into the Google Play Store when they should have been rejected.

Figure 1 Fake Dubsmash 2 from Google Play – available between May 20 and May 22

The latest Dubsmash 2 Trojan was uploaded to Play Store on May 20, 2015 and pulled on May 22, 2015. In the two days during that it was available for download, it was downloaded more than 5,000 times. The malware once again used a clicker technique identical to that used in its earlier version.

The author of the malware didn’t wait too long before uploading another version of the porn clicker to Google Play on May 23, 2015, passed off as Dubsmash v2. After three days the application had been downloaded more than ten of thousands of times. On May 25, 2015 and on May 26 2015 Dubsmash 2 was uploaded to the Play Store for the fourth and fifth time with the same malicious code implemented. It’s very rare for malware to be uploaded to official Play Store with the same functionality so many times over such a short period.

Figure 2 Fake Dubsmash v2 – May 23

Figure 3 Fake Dubsmash 2 – May 25

Figure 4 Fake Dubsmash 2 – May 26

ESET security software detects this threat as Android/Clicker Trojan. The fake applications were quickly removed from Play Store after we notified Google.

Figure 5 Android/Clicker Trojan removed from Google Play

After further research we discovered that these four applications were not the only Dubsmash 2 applications uploaded to the Google Play Store. We found another four applications that were removed from the Play Store in the past. ESET identified nine Trojan Clicker applications altogether that were made available for download, disguised as fake Dubsmash 2 applications.

Figure 5 Other Dubsmash 2 variants

Analysis

After installation, the user will not find any new Dubsmash icon on the device. The newly installed app’s icon or name has nothing in common with the real Dubsmash application. Mostly it pretends to be a simple arcade game or system application. After startup, the application hide its launching icon, but it is still constantly running in the background, accessing porn pages to generate revenue via click fraud.

Figure 7 Dubsmash 2 icons

Malicious activity is triggered when the device changes its connection. It’s not difficult to get the server URL address, as the app developer did not encrypt URLs this time. The server URL can be found in the code in plaintext. But there is one interesting change from the last version. Malicious code will not be executed if anti-virus software is installed on the device. The Trojan checks installed applications, based on package names, against the names of 16 anti-virus vendors. Package names are dynamically requested from server over HTTP. Package names can be easily updated to add other anti-malware applications. When the Trojan is installed it may not yet be detected by all AV solutions, but in many cases AV vendors can block URLs on request if they are found to be malicious. In one case the Trojan uses the server to communicate with as in its earlier version. It’s very suspicious when the user is warned that his device is trying to request data from a server that has already been blocked. At this point, the user may be alarmed to find that something suspicious is going on.

Package Name
com.eset.ems2.gp
com.kms.free
com.avast.android.mobilesecurity
com.symantec.mobilesecurity
com.antivirus
com.drweb
com.cleanmaster.mguard
com.cleanmaster.security
com.avira.android
com.wsandroid.suite
com.drweb.pro
org.antivirus
com.s.antivirus
jp.naver.lineantivirus.android
org.antivirus.tablet
org.antivirus.tcl.plugin.trial_to_pro

If none of these applications are installed then Dubsmash 2’s true functionality is initiated. The Trojan will demand porn links from its server. These links will be loaded every 60 seconds into WebView inside an invisible window, with a random clicking pattern applied.

Conclusion

It looks as if the official Play Store has still some weak spots, given that the same malicious applications were uploaded and offered to more than ten of thousands of users for the fourth time in just a month. The developer misused the name of a popular, for his own financial gain. We advise users to read reviews even when the application is not requesting any harmful or suspicious permissions.

More information

Package name
MD5
ESET Detection name
com.mym.gms BC72AD89E02C5FAA8FD84EBE9BF9E867 Android/Clicker.M
com.jet.war 8788B7C60BC9021A5F6162014D7BD1A6 Android/Clicker.L
com.lh.screens A2CCD03A1997F86FB06BD1B21556C30F Android/Clicker.M
com.jet.sman 6E20146EB52AEA41DB458F494C3ED3E6 Android/Clicker.J

by Lukas Stefanko, ESET


One thought on “Trojan Porn Clicker returns to Google Play

  1. Good review, but you don’t know how much more that has been allowed to be filtered through play and Microsoft and that which developer hackers, organized criminals and other groups have used to pass through their security and because of their lack of oversite its to them that any hint of trogen clickers, that being which the article speaks, is not the norm, but anomaly which was able to get through or be of any harm to 👥 , the truth of inclusion of which they are caulpable what do you think is the response? To understand it is that which I just included into this comment, among trusted and pre-installed apps in all products that extended permission and replicating web pages among the code and advertising links to rerout I believe to their ultimate goal, I any access point in city, I STATE I and government systems which once a full mirror of the system Good review, but you don’t know how much more that has been allowed to be filtered through play and Microsoft and that which developer hackers, organized criminals and other groups have used passed their security and because of their lack of oversite its to them any hint of trogen clickers, that being the artivalalsbut the utm_site campaign web diverted replicate migration of recoded /extended access which as the gate keepers to society and the world systems that their respsible , and using and done irreparable harm to me the dismissive attituded is Understandlable since it would open a wormhole that can lead to the pandoras box that some and most in there community had fight every day. Past Tense, to protect the public but are now, they are the original access point that that has filtered open-source coding teams and application building projects unrecoded/exenlded apps that have trusted status for lapls to level androidp As of 20l15 they know the intrusion they assisted to filter into phones and computers it’s to late khowing how serious there compribal l introducing the next indone the same very lack of alarm google among other very large companies that I personally contacted and provided information too because of the representation tiowhich is the intended coming beneficial to not acknowledge or speak to but dismiss and join in the dissinformation to public and officials but I promise you is known because I have braved land stood up after now but the utm_site campaign web diverted replicate migration of recoded /extended access which as the gate keepers to society and the world systems that their respsible , and using and done irreparable harm to me the dismissive attituded is Understandlable since it would open a wormhole that can lead to the pandoras box that some and most in there community had fight every day. Past Tense, to protect the public but are now, they are the original access point that that has filtered open-source coding teams and application building projects unrecoded/exenlded apps that have trusted status for lapls to level androidp As of 20l15 they know the intrusion they assisted to filter into phones and computers it’s to late khowing how serious there compribal l introducing the next indone the same very lack of alarm google among other very large companies that I personally contacted and provided information too because of the Good review, but you don’t know how much more that has been allowed to be filtered through play and Microsoft and that which developer hackers, organized criminals and other groups have used passed their security and because of their lack of oversite its to them any hint of trogen clickers, that being the artivalalsbut the utm_site campaign web diverted replicate migration of recoded /extended access which as the gate keepers to society and the world systems that their respsible , and using and done irreparable harm to me the dismissive attituded is Understandlable since it would open a wormhole that can lead to the pandoras box that some and most in there community had fight every day. Past Tense, to protect the public but are now, they are the original access point that that has filtered open-source coding teams and application building projects unrecoded/exenlded apps that have trusted status for lapls to level androidp As of 20l15 they know the intrusion they assisted to filter into phones and computers it’s to late khowing how serious there compribal l introducing the next indone the same very lack of alarm google among other very large companies that I personally contacted and provided information too because of the ……
    Must end with what looks like jiberish at time’s to make it seem I’m an idot or my words to be taken serious, I but it’s 3 years almost now and I can’t be shut up so I am constantly observed and monitored and interrupted and my words deleted be hind me the and mixed around and out of order so I know when it’s time to stop so I can get something out and I will continue speak out though it’s to late people should be able to choose if the wish to be ignorant of the harm that is and can be done or be informed of the deaths and destruction to many people this tech societies elite and lowlifes are okay to except for the progression of their products, I money and control it brings,
    Sometime it’s the opposite they try because the perception of my warning and words and my actions you never knowing the hell ive been through and the attacks and I fought hard to figure out what was being done accepting all the attacks and all the stupid things that I had to go through and did all the things I needed to do all the money I had to spend on phones and the computers I had to buy because eventually they would take control of my access to get everything out cuz once close you in so what’s the replicated web pages so that you’re not really getting the public so I can keep my mind working when I was too tired once I found out who they were and what they were doing I never let them stopping some giving out what I need what needed to be said even though they try hard every time the stop even though the site Justice skin up to there attack brilliant recoding and skills distorting and information reorganization it i is the

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s