Porn clicker trojans keep flooding Google Play

gplay2-623x410

ESET researchers have found 343 Porn clicker-type malicious apps on Google Play in just 7 months – and criminals are continuing to upload more on the official app store for the Android mobile platform.

What is a “porn clicker”? Porn clicker Trojans, which ESET detects as Android/Clicker, masquerade as legitimate apps, notably fake versions of popular games with very similar names and icons to legitimate applications. For instance, there were more than 30 bogus Subway Surfers and more than 60 fake GTA applications. These apps have nothing in common with the official Subway Surfers or GTA games.

After installation, these applications run in the background and access porn websites and click on ads to generate revenue for their operators, robbing advertisers and harming advertising platforms. From the user’s point of view, these Trojans generate a lot of internet traffic, which might have negative consequences for users on metered data plans.

On average, ten new porn clickers a week bypassed Google’s security checks during the latest campaign. These porn clickers not only made it into the store, but they also successfully compromised user devices. To get a sense of the scale, porn clickers on Google Play have on average, been downloaded 3600 times each. Considering how widespread porn clickers are on the Google Play Store, it is clear that neither the Google Bouncer filter, nor Google’s human review process can keep malicious apps completely out of the Store.

However, Google provides its customers with another tool for protection from bad apps: the review system. In the case of porn clickers, this security system works well: these fake apps typically have very poor ratings so users have a fair chance of avoiding them. Unfortunately, the huge numbers of downloads show many users often don’t care about ratings. If an application has more negative comments than positive, it should be a warning for users to reconsider their interest in that app.

Some versions of these porn clickers have implemented an antivirus check on the installed apps. If antivirus software is installed on the device, then the malicious functionality will not be triggered. This method is explained in one of our previous articles. The latest version of this porn clicker contains a list of 56 security applications whose presence is checked for on the device.

In any case, we advise all users to have up-to-date security solutions installed on their Android mobile devices. A good security product should stop this threat from installing on the device.

Detailed Analysis

Malicious porn clickers are mostly fake versions of popular games with very similar names and icons to legitimate applications. For instance, there were more than 30 bogus Subway Surfers and more than 60 fake GTA applications.

These apps have nothing in common with the official Subway Surfers or GTA games. The trojans were mostly devoid of any legitimate functionality and took advantage of having been given similar names to those of popular applications.

_iconsFinal6

Based on data found on the attackers’ servers, which generates the ads, there were clearly many more trojan clickers. It’s hard to determine whether all of those apps were on the Play Store – perhaps they were only hosted on third-party stores. We found references to 187 applications aside from those apps already discovered on the Play Store. All the package names can be found in the appendix.

Some versions of these porn clickers have implemented an antivirus check on the installed apps. If antivirus software is installed on the device, then the malicious functionality will not be triggered. This method is explained in a previous We Live Security article. The latest version of this porn clicker contains a list of 56 security applications whose presence is checked for on the device.

Figure 1 - A list of antivirus or security applications

Over time, as some of these porn clickers were repacked and uploaded to the Play Store, they changed the app’s name, icon or even its developer’s name, while the package name stayed the same.

Figure 2 - Developer apps before

Figure 3 - Developer apps after

A more interesting app name in combination with a popular icon can obviously lead to even more downloads and, of course, more profit for the developer.

How to stay secure

In cases like this, where the malware pretends to be a newly-released game with a fake app name and fake icon (My Talking Tom 3, GTA 2016, Temple Run 3 …), it’s very important to read user reviews. Many of these trojan porn clickers have received bad reviews and a lot of negative comments from users who had already been scammed.

Even if users have no doubt before installation, we advise them to read the reviews and to reconsider downloading the application if there are many negative ratings. In most of these porn clicker cases there are more negative than positive reviews.

Figure 4 - Negative users review

After reading such comments, users should be more aware of the potential risk and reconsider the installation of the application. In any case, we advise, users to have up-to-date security solutions, which should stop such threats from being installed onto their devices.

Figure 5 - Negative comments from Google Play

On the other hand, Google detects many of these trojan-clickers when its own ‘Verify apps’ option is enabled; this system blocks installation of applications that may cause harm. Unfortunately, it seems that such apps are often only detected after they are removed from the Play Store.

Figure 6 - Google apps verification system

Consequences

Trojan porn clickers have infected a lot of Android devices in order to earn money for the criminals who created the malware. Hopefully these particular fake applications will no longer evade detection by the Play Store’s app evaluation process. Unfortunately, servers providing advertisement links are still accessible, so maybe this won’t be the last time we will hear about the trojan porn clicker.

Details

Details such as Google Play data, hashes, and remote servers can be found in our appendix.

by Lukas Stefanko, ESET
and Urban Schrott, ESET Ireland


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s