Trojan Porn Clicker returns to Google Play

Recently, Avast researchers discovered the Trojan porn clicker uploaded to Google Play Store and posing as “Dubsmash 2”. This clicker pretended to be an official application, and was downloaded more than 100,000 times. While the click fraud activity did not cause direct harm to the victims such as stealing credentials, it does generate a lot of internet traffic and may cause high data charges for victims that have a restricted data plan, leaving them with high cellphone bills at the end of the month.

Less than a month later, ESET researchers discovered that a plethora of variants of this same fake Dubsmash application found their way on to the official Google Play, showing the very same icons and preview pictures.

While this threat is entirely different from the one we documented last week, both cases are similar in the sense that they managed to get into the Google Play Store when they should have been rejected.

Figure 1 Fake Dubsmash 2 from Google Play – available between May 20 and May 22

The latest Dubsmash 2 Trojan was uploaded to Play Store on May 20, 2015 and pulled on May 22, 2015. In the two days during that it was available for download, it was downloaded more than 5,000 times. The malware once again used a clicker technique identical to that used in its earlier version.

The author of the malware didn’t wait too long before uploading another version of the porn clicker to Google Play on May 23, 2015, passed off as Dubsmash v2. After three days the application had been downloaded more than ten of thousands of times. On May 25, 2015 and on May 26 2015 Dubsmash 2 was uploaded to the Play Store for the fourth and fifth time with the same malicious code implemented. It’s very rare for malware to be uploaded to official Play Store with the same functionality so many times over such a short period.

Figure 2 Fake Dubsmash v2 – May 23

Figure 3 Fake Dubsmash 2 – May 25

Figure 4 Fake Dubsmash 2 – May 26

ESET security software detects this threat as Android/Clicker Trojan. The fake applications were quickly removed from Play Store after we notified Google.

Figure 5 Android/Clicker Trojan removed from Google Play

After further research we discovered that these four applications were not the only Dubsmash 2 applications uploaded to the Google Play Store. We found another four applications that were removed from the Play Store in the past. ESET identified nine Trojan Clicker applications altogether that were made available for download, disguised as fake Dubsmash 2 applications.

Figure 5 Other Dubsmash 2 variants


After installation, the user will not find any new Dubsmash icon on the device. The newly installed app’s icon or name has nothing in common with the real Dubsmash application. Mostly it pretends to be a simple arcade game or system application. After startup, the application hide its launching icon, but it is still constantly running in the background, accessing porn pages to generate revenue via click fraud.

Figure 7 Dubsmash 2 icons

Malicious activity is triggered when the device changes its connection. It’s not difficult to get the server URL address, as the app developer did not encrypt URLs this time. The server URL can be found in the code in plaintext. But there is one interesting change from the last version. Malicious code will not be executed if anti-virus software is installed on the device. The Trojan checks installed applications, based on package names, against the names of 16 anti-virus vendors. Package names are dynamically requested from server over HTTP. Package names can be easily updated to add other anti-malware applications. When the Trojan is installed it may not yet be detected by all AV solutions, but in many cases AV vendors can block URLs on request if they are found to be malicious. In one case the Trojan uses the server to communicate with as in its earlier version. It’s very suspicious when the user is warned that his device is trying to request data from a server that has already been blocked. At this point, the user may be alarmed to find that something suspicious is going on.

Package Name

If none of these applications are installed then Dubsmash 2’s true functionality is initiated. The Trojan will demand porn links from its server. These links will be loaded every 60 seconds into WebView inside an invisible window, with a random clicking pattern applied.


It looks as if the official Play Store has still some weak spots, given that the same malicious applications were uploaded and offered to more than ten of thousands of users for the fourth time in just a month. The developer misused the name of a popular, for his own financial gain. We advise users to read reviews even when the application is not requesting any harmful or suspicious permissions.

More information

Package name
ESET Detection name
com.mym.gms BC72AD89E02C5FAA8FD84EBE9BF9E867 Android/Clicker.M
com.jet.war 8788B7C60BC9021A5F6162014D7BD1A6 Android/Clicker.L
com.lh.screens A2CCD03A1997F86FB06BD1B21556C30F Android/Clicker.M
com.jet.sman 6E20146EB52AEA41DB458F494C3ED3E6 Android/Clicker.J

by Lukas Stefanko, ESET

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s